Apple: Hackers Could Use This WebKit Flaw to Attack iPhones
December 2, 2023Time to update: Apple is patching two flaws that hackers may be actively exploiting to attack iPhones, iPads, and macOS devices.
The business issued security upgrades today to address the vulnerability, which affects WebKit, Safari's browser engine.
Apple learned of the flaws from Google security researcher Clément Lecigne, who works for the company's Threat Analysis Group, a team that defends against state-sponsored hacking groups and commercial surveillance companies. (Days earlier, Lecigne discovered a separate zero-day vulnerability in Google's Chrome browser, which was also patched.)
Apple has not provided details about the attack, but the vulnerabilities can be triggered when processing malicious web content. This suggests that the hackers were exploiting the flaws by sending victims booby-trapped web pages, possibly through a phishing message or website.
The first flaw, CVE-2023-42916, allows manipulation of the WebKit engine to read memory beyond its normal bounds, potentially leading to the disclosure of sensitive information. Meanwhile, the second flaw, CVE-2023-42917, involves a memory corruption issue that can be exploited to execute rogue computer code through WebKit. Therefore, this vulnerability could potentially be used to secretly download malware onto a device.
It's also likely that these holes were used in tandem to allow hackers to takeover iPhones. The vulnerabilities, according to Apple, "may have been exploited against versions of iOS prior to iOS 16.7.1," which was issued on October 10.