Apple slaps patch on WebKit holes in iPhones and Macs amid fears of active attacks

Apple has issued emergency fixes to plug security flaws in iPhones, iPads, and Macs that may already be under attack.

The software updates for iOS, iPadOS, macOS Sonoma, and Safari web browser address two bugs: an out-of-bounds read flaw tracked as CVE-2023-42916, and a memory corruption vulnerability tracked as CVE-2023-42917. 

Both are in the WebKit web browser engine – the heart of Safari, as found on iThings and Macs – and can be abused to access sensitive information (CVE-2023-42916) and execute arbitrary code (CVE-2023-42917) on vulnerable devices. It appears a malicious webpage or similar content can exploit these holes: we imagine an attack would involve tricking a mark into a opening a page that then hijacks their equipment and snoops on them.

The list of affected devices is long, and includes:

• iPhone XS and later
• iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later
• Macs running macOS Monterey, Ventura, Sonoma

"Apple is aware of a report that this issue may have been exploited," the Silicon Valley corp said about both bugs in the November 30 security update.

While we don't have details about who may have been poking code in Apple devices, and what evil deeds they were likely doing, both were found by Clément Lecigne of Google's Threat Analysis Group (TAG).

TAG keeps a close eye on nation-state espionage crews, as well as commercial spyware vendors, and some of the earlier Apple bugs have been used to deploy Pegasus and TriangleDB snooping malware on compromised phones and computers. 

• Apple drops urgent patch against obtuse TriangleDB iPhone malware
• Apple opens annual applications for free hackable iPhones
• Uh-oh, update Google Chrome – exploit already out there for one of these 6 security holes
• Plex gives fans a privacy complex after sharing viewing habits with friends by default

In May, Cupertino fixed three other WebKit flaws under exploit that had also been spotted by Lecigne and Amnesty International. These types of bugs tend to be exploited in targeted attacks against politicians, journalists, academics, activists and others.

And also this week: Google fixed a bug in its Chrome browser that Lecigne found. This vulnerability, CVE-2023-6345, was also exploited by miscreants before Google issued the patch.

As with the Apple flaws, we don't have many details about the Chrome vulnerability, other than it's a high-severity integer overflow issue in Skia, a popular graphics library used by the browser. But if we had to bet, we'd put money on all of these being exploited by cyber snoops for espionage purposes.

So before you head into the weekend, it's probably a good idea to update everything. ®