December 22, 2024

GET YER PATCHES — Google researchers report critical zero-days in Chrome and all Apple OSes Discoveries made by Google’s Threat Analysis Group, which tracks nation-state hacking.

Dan Goodin – Dec 1, 2023 12:38 am UTC EnlargeGetty Images reader comments 32 with

Researchers in Google’s Threat Analysis Group have been as busy as ever, with discoveries that have led to the disclosure of three high-severity zero-day vulnerabilities under active exploitation in Apple OSes and the Chrome browser in the span of 48 hours.

Apple on Thursday said it was releasing security updates fixing two vulnerabilities present in iOS, macOS, and iPadOS. Both of them reside in WebKit, the engine that drives Safari and a wide range of other apps, including Apple Mail, the App Store, and all browsers running on iPhones and iPads. While the update applies to all supported versions of Apple OSes, Thursdays disclosure suggested in-the-wild attacks exploiting the vulnerabilities targeted earlier versions of iOS.

Apple is aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1, Apple officials wrote of both vulnerabilities, which are tracked as CVE-2023-42916 and CVE-2023-42917.

CVE-2023-42916 is an out-of-bounds read that allows hackers to obtain sensitive information when WebKit-powered apps process specially crafted online content. CVE-2023-42917 is a memory corruption flaw that causes vulnerable devices to execute malicious code when processing hacker-created content for a WebKit app. Apple credited TAGs Clment Lecigne with discovery of both vulnerabilities. Neither Apple nor Google provided details about the zero-day attacks. Advertisement

On Tuesday, Google said it was releasing an update that fixed seven Chrome vulnerabilities, one of which was a zeroday, meaning Google learned of it after exploits were already available in the wild. Google provided no additional details related to the zero-day.

The bug, tracked as CVE-2023-6345, stems from an integer overflow, a common class of vulnerability that allows hackers to execute malicious code when targets process specially crafted content. The vulnerability resides in the Skia component of the browser. Google credited TAGs Benot Sevens and Clment Lecigne for reporting the vulnerability.

Both the Apple and Google updates are being automatically pushed to affected devices. The updates are installed when users reboot their device or restart their browser. Users are likely to receive notifications if enough time passes without a restart. iOS, macOS, and iPadOS users can manually install updates by accessing system settings and selecting the General tab. To manually install the Chrome update, choose the three vertical dots on the top right of the window and choose update. reader comments 32 with Dan Goodin Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Advertisement Channel Ars Technica ← Previous story Related Stories Today on Ars