Qualys Security Advisory
CISA has also acknowledged the active exploitation of two vulnerabilities in the Apple WebKit browser engine. CISA has added the vulnerabilities to its Known Exploited Vulnerabilities Catalog and requested users to patch it before Dec 25, 2023.
Clément Lecigne of Google’s Threat Analysis Group has discovered the CVE-2023-42916 and CVE-2023-42917.
Apple, in its advisory, has mentioned that the vulnerability may have been exploited against versions of iOS before iOS 16.7.1.
This out-of-bounds read vulnerability may allow an attacker to disclose sensitive information while processing web content. The vulnerability has been addressed with improved input validation.
The memory corruption vulnerability may allow an attacker to perform arbitrary code execution while processing web content. The vulnerability has been addressed with improved locking.
- Apple Safari versions prior to 17.1.2
- Apple macOS Sonoma versions prior to 14.1.2
- iPhone XS and later
- iPad Pro 12.9-inch 2nd generation and later
- iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later
- iPad Air 3rd generation and later
- iPad 6th generation and later
- iPad mini 5th generation and later
Customers must upgrade to the latest macOS Sonoma 14.1.2, iOS 17.1.2, iPadOS 17.1.2, and Safari 17.1.2 to patch the vulnerability.
Qualys customers can scan their devices with QIDs 379088, 379087, and 610530 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.