iPhones and Macs get patches for two vulnerabilities

Apple warned customers of the latest zero-day vulnerabilities affecting several of its products, releasing an emergency security update on Thursday.

The vulnerabilities — CVE-2023-42916 and CVE-2023-42917 — were discovered by Clément Lecigne of Google's Threat Analysis Group and affect iPhone XS and later; several models of iPads; and Macs running macOS Monterey, Ventura or Sonoma.

“Processing web content may disclose sensitive information,” the company said in all three advisories.

“Apple is aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1.”

The Cybersecurity and Infrastructure Security Agency (CISA) released its own warning about the vulnerabilities, urging customers of the company to apply the patches available.

Read more: Latest severe Chrome bug prompts CISA warning

Michael Covington, a vice president at Apple device security and management company Jamf, told Recorded Future News that the bugs revolve around Apple’s WebKit.

The exploits involving the vulnerabilities, according to Covington, show that attackers continue to focus on finding flaws in the framework that downloads and presents web-based content.

“The latest bugs could lead to both data leakage and arbitrary code execution, and appear to be tied to targeted attacks that are common against high-risk users,” he said.

“Though these patches validate that Apple devices are not immune to cyber threats, the patching process is helping to reduce the attack surface. Now that the patches are issued, it is up to users, and organizations that utilize Apple devices for work, to update their devices and monitor for compliance to ensure that all critical devices are no longer vulnerable as soon as possible.”

Apple previously warned in October about hackers exploiting CVE-2023-42824 – a vulnerability affecting iPhone XS and later as well as several versions of the iPad Pro and Air.