Apple: Hackers Might Be Exploiting This WebKit Flaw to Attack iPhones
Views: 4181
2023-12-01 05:59
Time to update: Apple is patching a pair of flaws that hackers may be actively

Time to update: Apple is patching a pair of flaws that hackers may be actively exploiting to attack iPhones, iPads, and macOS devices.

The company released security updates today to address the threat, which affects WebKit, the browser engine for Safari.

Apple learned of the flaws through Google security researcher Clément Lecigne, who works for the company’s Threat Analysis Group, a team that defends against state-sponsored hacking groups and commercial surveillance companies.

There’s not a lot of details about the attack. But the vulnerabilities can be triggered when processing malicious web content. This suggests the hackers were abusing the flaws by sending victims booby-trapped web pages, perhaps through a phishing message or website.

The first flaw, CVE-2023-42916, can manipulate the Webkit engine to read memory out of the normal bounds, which can cause the software to disclose sensitive information. Meanwhile, the second flaw, CVE-2023-42917, involves a memory corruption problem that can be abused to manipulate WebKit to run rogue computer code. Hence, it sounds like this vulnerability could be used to secretly download malware to a device.

It’s also possible that both flaws were exploited together to help hackers hijack iPhones. Apple notes that the vulnerabilities “may have been exploited against versions of iOS before iOS 16.7.1,” which was released on Oct. 10.

Apple's patch will arrive as iOS version 17.1.2. Users can update their iPhones by going to Settings > General > Software Update. The phone can also patch itself automatically if you’ve toggled on automatic updates. In addition to iOS, Apple has also released patches for iPadOS, macOS Sonoma, along with Safari.

Tags security