Apple warns billions of users of actively exploited zero-day vulnerability

In case you didn’t read the subhead, if you have an iPhone, iPad, or Mac, you need to update it right now. Apple has released iOS and iPadOS 17.1.2, macOS Sonoma 14.1.2, and Safari 17.1 for macOS Monterey and macOS Ventura to patch two extremely critical WebKit flaws affecting Safari on the Mac and every browser on the iPhone and iPad.

Apple reports that the zero-day (meaning it was previously unknown to users and security researchers) “may have been exploited against versions of iOS before iOS 16.7.1,” which only arrived in November to fix a separate zero-day flaw. It’s unclear whether any instances of the vulnerability being exploited on the Mac have been recorded. It’s the 20th zero-day patch issued by Apple in 2023.

Apple is also working on watchOS 10.2 and tvOS 17.2, which will presumably arrive within a week or two and contain the same patch. Both fixes affect WebKit and were discovered by Clément Lecigne of Google’s Threat Analysis Group:

WebKit (CVE-2023-42916)

• Impact: Processing web content may disclose sensitive information. Apple is aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1.
• Description: An out-of-bounds read was addressed with improved input validation.

WebKit (CVE-2023-42917)

• Impact: Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1.
• Description: A memory corruption vulnerability was addressed with improved locking.

Earlier this week, Google also issued an emergency update for Chrome on Mac, which patches seven security flaws, at least one of which has been known to have been exploited in the wild.

To update your device, head over to Settings (iPhone or iPad) or System Settings (Mac), then General and Software Update. On older Macs, go to System Preferences, then Software Update.