Google researchers report critical zero-days in Chrome and all Apple OSes

Researchers in Google’s Threat Analysis Group have been as busy as ever, with discoveries that have led to the disclosure of three high-severity zero-day vulnerabilities under active exploitation in Apple OSes and the Chrome browser in the span of 48 hours.

Apple on Thursday said it was releasing security updates fixing two vulnerabilities present in iOS, macOS, and iPadOS. Both of them reside in WebKit, the engine that drives Safari and a wide range of other apps, including Apple Mail, the App Store, and all browsers running on iPhones and iPads. While the update applies to all supported versions of Apple OSes, Thursday’s disclosure suggested in-the-wild attacks exploiting the vulnerabilities targeted earlier versions of iOS.

“Apple is aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1,” Apple officials wrote of both vulnerabilities, which are tracked as CVE-2023-42916 and CVE-2023-42917.

CVE-2023-42916 is an out-of-bounds read that allows hackers to obtain sensitive information when WebKit-powered apps process specially crafted online content. CVE-2023-42917 is a memory corruption flaw that causes vulnerable devices to execute malicious code when processing hacker-created content for a WebKit app. Apple credited TAG’s Clément Lecigne with discovery of both vulnerabilities. Neither Apple nor Google provided details about the zero-day attacks.

On Tuesday, Google said it was releasing an update that fixed seven Chrome vulnerabilities, one of which was a zeroday, meaning Google learned of it after exploits were already available in the wild. Google provided no additional details related to the zero-day.

The bug, tracked as CVE-2023-6345, stems from an integer overflow, a common class of vulnerability that allows hackers to execute malicious code when targets process specially crafted content. The vulnerability resides in the Skia component of the browser. Google credited TAG’s Benoît Sevens and Clément Lecigne for reporting the vulnerability.

Both the Apple and Google updates are being automatically pushed to affected devices. The updates are installed when users reboot their device or restart their browser. Users are likely to receive notifications if enough time passes without a restart. iOS, macOS, and iPadOS users can manually install updates by accessing system settings and selecting the General tab. To manually install the Chrome update, choose the three vertical dots on the top right of the window and choose update.

Leave a Reply

Your email address will not be published. Required fields are marked *