iPhones and Macs get patches for two vulnerabilities


Apple warned customers of the latest zero-day vulnerabilities affecting several of its products, releasing an emergency security update on Thursday.

The vulnerabilities — CVE-2023-42916 and CVE-2023-42917 — were discovered by Clément Lecigne of Google’s Threat Analysis Group and affect iPhone XS and later; several models of iPads; and Macs running macOS Monterey, Ventura or Sonoma.

“Processing web content may disclose sensitive information,” the company said in all three advisories.

“Apple is aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1.”

The Cybersecurity and Infrastructure Security Agency (CISA) released its own warning about the vulnerabilities, urging customers of the company to apply the patches available.

Read more: Latest severe Chrome bug prompts CISA warning

Michael Covington, a vice president at Apple device security and management company Jamf, told Recorded Future News that the bugs revolve around Apple’s WebKit.

The exploits involving the vulnerabilities, according to Covington, show that attackers continue to focus on finding flaws in the framework that downloads and presents web-based content.

“The latest bugs could lead to both data leakage and arbitrary code execution, and appear to be tied to targeted attacks that are common against high-risk users,” he said.

“Though these patches validate that Apple devices are not immune to cyber threats, the patching process is helping to reduce the attack surface. Now that the patches are issued, it is up to users, and organizations that utilize Apple devices for work, to update their devices and monitor for compliance to ensure that all critical devices are no longer vulnerable as soon as possible.”

Apple previously warned in October about hackers exploiting CVE-2023-42824 – a vulnerability affecting iPhone XS and later as well as several versions of the iPad Pro and Air.

Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Jonathan Greig is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.


Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

60 credit unions facing outages due to ransomware attack on popular tech provider

Next Post

Russian developer of Trickbot malware pleads guilty, faces 35-year sentence

Related Posts

Malware Delivery via Cloud Services Exploits Unicode Trick to Deceive Users

A new attack campaign dubbed CLOUD#REVERSER has been observed leveraging legitimate cloud storage services like Google Drive and Dropbox to stage malicious payloads. "The VBScript and PowerShell scripts in the CLOUD#REVERSER inherently involves command-and-control-like activities by using Google Drive and Dropbox as staging platforms to manage file uploads and downloads," Securonix
Read More