Google’s Threat Analysis Group researchers have made significant discoveries, leading to the disclosure of three high-severity zero-day vulnerabilities under active exploitation in Apple OSes and the Chrome browser within 48 hours.
On Thursday, Apple announced the release of security updates fixing two vulnerabilities present in iOS, macOS, and iPadOS. These vulnerabilities reside in WebKit, the engine that powers Safari and numerous other apps. In-the-wild attacks exploiting the vulnerabilities targeted earlier versions of iOS, prompting Apple to take action to protect users.
One of the vulnerabilities, tracked as CVE-2023-42916, allows hackers to obtain sensitive information when WebKit-powered apps process specially crafted online content. The other, CVE-2023-42917, causes vulnerable devices to execute malicious code when processing hacker-created content for a WebKit app. Both vulnerabilities were discovered by TAG’s Clément Lecigne.
On Tuesday, Google announced an update that fixed seven Chrome vulnerabilities, including a zero-day exploit. The bug, tracked as CVE-2023-6345, allows hackers to execute malicious code when targets process specially crafted content in the Skia component of the browser.
Both the Apple and Google updates are being automatically pushed to affected devices. Users are likely to receive notifications if enough time passes without a restart. iOS, macOS, and iPadOS users can manually install updates by accessing system settings, and Chrome users can update by choosing the three vertical dots on the top right of the window and selecting update.
