Users should upgrade to avoid becoming a victim of malware.
Apple released software updates for iOS, iPadOS, macOS, and the Safari web browser to address two vulnerabilities that the company says are actively used in older versions of the software. The vulnerabilities, both found in the WebKit browser engine, are described below:
Apple said that it is aware of reports of exploiting flaws in versions prior to iOS 16.7.1, released on October 10, 2023. The discovery and reporting of flaws is attributed to specialist Clement Lesin from the Google threat Analysis group (TAG). Apple did not provide additional information about the ongoing operation.
It's worth noting that every third-party web browser available for iOS and iPadOS, including Google Chrome, Mozilla Firefox, Microsoft Edge, and others, runs on the WebKit engine due to Apple's restrictions on using third-party engines, making WebKit a lucrative and broad attack surface.
In the iOS and iPadOS operating systems, Apple requires all browsers to use WebKit as their rendering engine. This means that, despite the differences in interface and functionality, all browsers in Apple's OS, in fact, use the same engine as Safari. For example, Google adapted its own Chrome Blink engine to work within the limitations of WebKit on Apple devices.
Updates are available for the following devices and operating systems:
In addition to restricting the use of third-party browser engines, Apple also prohibits the installation of applications from unofficial sources in order to protect users from infecting the iPhone with malware.
Ivan Krstic, Apple's Head of Security and Architecture, shared his thoughts on iPhone security and the company's position regarding installing apps from third-party sources and using third-party app stores. Against the backdrop of upcoming EU regulatory changes, Krstic highlighted the potential risks associated with allowing iPhone users to install apps from sources other than the Apple app store.
Apple released software updates for iOS, iPadOS, macOS, and the Safari web browser to address two vulnerabilities that the company says are actively used in older versions of the software. The vulnerabilities, both found in the WebKit browser engine, are described below:
- CVE-2023-42916 — an out-of-bounds read problem that can be used to leak sensitive information when processing web content;
- CVE-2023-42917 — a memory corruption error that causes arbitrary code to be executed when processing web content.
Apple said that it is aware of reports of exploiting flaws in versions prior to iOS 16.7.1, released on October 10, 2023. The discovery and reporting of flaws is attributed to specialist Clement Lesin from the Google threat Analysis group (TAG). Apple did not provide additional information about the ongoing operation.
It's worth noting that every third-party web browser available for iOS and iPadOS, including Google Chrome, Mozilla Firefox, Microsoft Edge, and others, runs on the WebKit engine due to Apple's restrictions on using third-party engines, making WebKit a lucrative and broad attack surface.
In the iOS and iPadOS operating systems, Apple requires all browsers to use WebKit as their rendering engine. This means that, despite the differences in interface and functionality, all browsers in Apple's OS, in fact, use the same engine as Safari. For example, Google adapted its own Chrome Blink engine to work within the limitations of WebKit on Apple devices.
Updates are available for the following devices and operating systems:
- iOS 17.1.2 and iPadOS 17.1.2 — iPhone XS and later, iPad Pro 12.9 inches 2nd generation and later, iPad Pro 10.5 inches, iPad Pro 11 inches 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5- th generation and later;
- macOS Sonoma 14.1.2 — Mac computers running macOS Sonoma;
- Safari 17.1.2 — Macs running macOS Monterey and macOS Ventura.
In addition to restricting the use of third-party browser engines, Apple also prohibits the installation of applications from unofficial sources in order to protect users from infecting the iPhone with malware.
Ivan Krstic, Apple's Head of Security and Architecture, shared his thoughts on iPhone security and the company's position regarding installing apps from third-party sources and using third-party app stores. Against the backdrop of upcoming EU regulatory changes, Krstic highlighted the potential risks associated with allowing iPhone users to install apps from sources other than the Apple app store.
