Busy as ever, Google’s Threat Analysis Group has made discoveries that led to the disclosure of three high-severity zero-day vulnerabilities under active exploitation in Apple OSes and the Chrome browser in just 48 hours.
On Thursday, Apple announced that it was releasing security updates fixing two vulnerabilities present in iOS, macOS, and iPadOS. These vulnerabilities reside in WebKit, the engine that drives Safari and a wide range of other apps. The update applies to all supported versions of Apple OSes, but in-the-wild attacks exploiting the vulnerabilities targeted earlier versions of iOS.
“Apple is aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1,” Apple officials wrote of both vulnerabilities, tracked as CVE-2023-42916 and CVE-2023-42917. CVE-2023-42916 is an out-of-bounds read that allows hackers to obtain sensitive information when WebKit-powered apps process specially crafted online content. CVE-2023-42917 is a memory corruption flaw that causes vulnerable devices to execute malicious code when processing hacker-created content for a WebKit app. TAG’s Clément Lecigne discovered both vulnerabilities. Neither Apple nor Google provided details about the zero-day attacks.
On Tuesday, Google announced the release of an update that fixed seven Chrome vulnerabilities, including a zeroday, meaning Google learned of it after exploits were already available in the wild. The bug, tracked as CVE-2023-6345, stems from an integer overflow, a common class of vulnerability. Google credited TAG’s Benoît Sevens and Clément Lecigne for reporting the vulnerability.
Both the Apple and Google updates are automatically pushed to affected devices and installed when users reboot their device or restart their browser. Users can also manually install updates by accessing system settings and selecting the General tab. To manually install the Chrome update, choose the three vertical dots on the top right of the window and choose update.
