12 December 2023

Apple backports WebKit zero-day fix to older iPhones


Apple backports WebKit zero-day fix to older iPhones

Apple rolled out security patches for iOS, iPadOS, macOS, tvOS, watchOS, and Safari web browser to resolve multiple security flaws, including numerous high-risk vulnerabilities affecting AVEVideoEncoder, ExtensionKit, Find My, ImageIO, Kernel, Safari Private Browsing, and WebKit that can result in remote code execution.

Additionally, the iPhone maker backported fixes for two recently disclosed zero-days (CVE-2023-42916 and CVE-2023-42917) to older devices. Both bugs affect the WebKit web browser engine.

CVE-2023-42916 is an out-of-bounds read issue that could be exploited for arbitrary code execution when processing web content. The second vulnerability (CVE-2023-42917) is a buffer overflow issue that could result in arbitrary code execution when processing HTML content.

Apple said that CVE-2023-42916 and CVE-2023-42917 were already exploited against versions of iOS before iOS 16.7.1.

One of the most notable vulnerabilities patched with the latest security updates is CVE-2023-45866, a weakness in Bluetooth implementation that can be used by a remote attacker with physical proximity to the device to inject keystrokes by spoofing a keyboard and execute arbitrary commands on the system. The issue was reported by SkySafe security engineer Marc Newlin last week.

According to Newlin, the bug allows attackers to connect to Apple, Android and Linux devices and the exploit could be executed from a Linux machine using a standard Bluetooth adapter, without the need for any special hardware.


Back to the list

Latest Posts

North Korean Lazarus Group targets software devs in Operation 99 campaign

North Korean Lazarus Group targets software devs in Operation 99 campaign

Operation 99 aims to steal sensitive information, including source code, configuration files, API keys, and crypto wallet credentials.
20 January 2025
Threat actors impersonating Ukraine’s CERT using AnyDesk

Threat actors impersonating Ukraine’s CERT using AnyDesk

In these cases, threat actors sent requests to connect via AnyDesk, falsely claiming to represent CERT-UA.
20 January 2025
Europol's largest-ever operation seizes millions in criminal assets worldwide

Europol's largest-ever operation seizes millions in criminal assets worldwide

The global operation uncovered 83 crypto wallets and addresses linked to criminal organizations.
20 January 2025