Apple has issued emergency security updates to backport patches for two actively exploited zero-day flaws to older iPhones and some Apple Watch and Apple TV models.
The two vulnerabilities, now tracked as CVE-2023-42916 and CVE-2023-42917, were discovered within the WebKit browser engine, developed by Apple and used by the company’s Safari web browser across its platforms (e.g., macOS, iOS, iPadOS).
They can let attackers obtain access to sensitive data through and execute arbitrary code using maliciously crafted webpages designed to exploit out-of-bounds and memory corruption bugs on unpatched devices.
The company says the bugs are now also patched on the following list of devices:
- iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
- Apple TV HD and Apple TV 4K (all models)
- Apple Watch Series 4 and later
Clément Lecigne, a security researcher from Google’s Threat Analysis Group (TAG), discovered and reported both zero-day vulnerabilities.
Although Apple has yet to provide details about the vulnerabilities’ exploitation in attacks, researchers at Google TAG have frequently identified and disclosed information on zero-day flaws employed in state-sponsored surveillance software attacks targeting high-profile individuals, including journalists, opposition figures, and dissidents.
CISA also ordered Federal Civilian Executive Branch (FCEB) agencies last week, on December 4, to patch their devices against these two security vulnerabilities based on evidence of active exploitation.
Since the start of the year, Apple has patched 20 zero-day vulnerabilities exploited in attacks: