PSA: You should update your iPhone, iPad, or Mac now

What just happened? Google's Threat Analysis Group discovered two actively exploited zero-day vulnerabilities in Apple's operating systems. Apple quickly released critical security updates for iOS 17, iPadOS 17, macOS Sonoma, and Safari, addressing the issue. If left unpatched, the vulnerabilities could reveal sensitive information and enable arbitrary code execution.

Owners of iPhones, iPads, and Macs should update their operating systems ASAP. The latest patch contains a critical security update for two vulnerabilities hackers are currently exploiting. Both issues concern how WebKit reads memory. WebKit is the browser engine underpinning Safari and other essential Apple applications.

The first (CVE-2023-42916) is an out-of-bounds read vulnerability that permits reading information from RAM beyond the limits of an array. The flaw could cause WebKit to reveal sensitive data while processing web content. The second issue (CVE-2023-42917) is a memory corruption vulnerability, which Apple addressed with improved locking. The security hole could enable arbitrary code execution when reading web content.

Although Apple engineers included the patch in iOS 17.1.2, iPadOS 17.1.2, and macOS Sonoma 14.1.2, Apple received reports that hackers exploited the same flaws in versions before 16.7.1. Google and Apple haven't identified the malicious actors.

Furthermore, while the macOS update targets Sonoma, users with Monterey and Ventura should install an update for Safari that addresses the issues. The mobile updates affect iPhones dating back to the XS, iPad Pro 12.9-inch 2nd generation and newer, all 10.5-inch and 11-inch iPad Pros, iPad Air 3rd generation or later, the 5th and 6th-generation iPad mini, and all iPads since the 6th generation.

Google's Threat Analysis Group has been quite busy lately, as this is the second set of significant vulnerabilities it has exposed this week. The company recently released an update for Chrome that addressed several security flaws.

One of the Chrome vulnerabilities (CVE-2023-6350) is an out-of-bounds read issue similar to the one affecting Apple's systems, which affects the processing of avif files. Other problems the update addressed include use-after-free memory corruption vulnerabilities in multiple parts of Chrome, a spellcheck type confusion issue, and an integer overflow. Chrome users who haven't updated to version 119.0.6045.200 should do so ASAP.

Earlier this month, Google also described a zero-day it discovered, which affected the email server Zimbra Collaboration, impacting multiple international government organizations. The risks included the theft of emails, credentials, and authentication tokens.