- Upgrade to Microsoft Office Pro and Windows 11 Pro with this bundle for 87% off
- Get 3 months of Xbox Game Pass Ultimate for 28% off
- Buy a Microsoft Project Pro or Microsoft Visio Pro license for just $18 with this deal
- How I optimized the cheapest 98-inch TV available to look and sound incredible (and it's $1,000 off)
- The best blood pressure watches of 2024
Apple Patches Actively Exploited iOS Zero-Days
Apple has been forced to patch yet another pair of zero-day vulnerabilities, bringing the total for the year to 20.
The tech giant said that the two bugs in its WebKit browser engine were being actively exploited in the wild.
The first vulnerability, CVE-2023-42916, is found in a range of Apple products: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later.
The flaw is described as an “out-of-bounds read” which Apple addressed with improved input validation.
“Processing web content may disclose sensitive information,” Apple said of its impact.
Read more on Apple zero-days: Apple Issues Emergency Patches for More Zero-Day Bugs
The second vulnerability, CVE-2023-42917, is a memory corruption flaw in WebKit which was addressed with “improved locking.”
It is present in the same list of products as the first vulnerability.
“Processing web content may lead to arbitrary code execution,” Apple said of the flaw.
Both bugs were discovered by Clément Lecigne of Google’s Threat Analysis Group (TAG), a researcher and an organization known for finding vulnerabilities and exploits used in commercial spyware operations.
Just this week, he was cited by Google in a Chrome update for finding CVE-2023-6345, an integer overflow issue in open source 2D graphics library Skia, linked to similar state-sponsored activity.
The continued discovery of zero-day vulnerabilities in Apple kit, frequently researched by commercial spyware organizations to deliver eavesdropping capabilities to targeted devices, hint that such operations are still very much alive and well despite Western pressure.
The US has placed organizations like NSO Group on trade blacklists in an attempt to stifle their business, and in March President Biden approved an executive order (EO) banning government use of any commercial spyware that has previously been misused by foreign states to spy on citizens, dissidents, activists and others.
Image credit: NYC Russ / Shutterstock.com