With the latest round of security updates, Apple has fixed two zero-day WebKit vulnerabilities that “May have been exploited against versions of iOS before iOS 16.7.1.”.
Both affect WebKit, the Apple-developed browser engine used by the company’s Safari web browser and all web browsers on iOS and iPadOS. CVE-2023-42916 may lead to disclosure of sensitive information, while CVE-2023-42917 allows arbitrary code execution.
The vulnerabilities have been reported to Apple by security researcher Clément Lecigne, of Google’s Threat Analysis Group.
As is their wont, Apple did not disclose details about the attacks in which these zero-days have been exploited, but we know that Google TAG often uncovers zero-day vulnerabilities used to deliver state-sponsored spyware to targeted individuals.
Apple says that vulnerabilities have been exploited against versions of iOS before 16.7.1, but does not say whether iOS 16.7.1 and iOS 16.7.2 are vulnerable.
If they are, Apple will likely soon push out new security updates for the iOS 16.