WebKit Zero-Day Vulnerabilities Prompt iOS 17.1.2, iPadOS 17.1.2, macOS 14.1.2, and Safari 17.1.2
In response to two zero-day vulnerabilities—those found in the wild—identified in WebKit by Clément Lecigne of Google’s Threat Analysis Group, Apple has released iOS 17.1.2 and iPadOS 17.1.2, macOS 14.1.2 Sonoma, and Safari 17.1.2 for macOS 12 Monterey and macOS 13 Ventura. In one of the vulnerabilities, processing Web content could disclose sensitive information; the other could lead to arbitrary code execution. The company doesn’t list any other changes.
Apple says these vulnerabilities may have been exploited against versions of iOS and iPadOS before 16.7.1, suggesting that the current iOS 16.7.2 and iPadOS 16.7.2 aren’t vulnerable.
Although no one has published additional details, these vulnerabilities were likely used only against high-value targets because zero-day exploits are too valuable to waste against low-value targets like most of us. As a result, you don’t have to drop everything to install these updates, but I encourage you to install them the next time it’s convenient.
I’m surprised Apple didn’t use its Rapid Security Response approach for the iOS, iPadOS, and macOS updates (see “What Are Rapid Security Responses and Why Are They Important?” 2 May 2023). A couple of WebKit zero-day fixes would seem to be a perfect fit. Apple’s hesitation may be related to the fact that the last Rapid Security Response release didn’t go well (see “Rapid Security Responses for iOS/iPadOS 16.5.1 (c) and macOS Ventura 13.4.1 (c),” 13 July 2023).
If it seems like Apple has been releasing a lot of fixes for zero-day vulnerabilities this year, you’re not wrong. Google’s Project Zero maintains a 0day “In the Wild” spreadsheet that tracks all the zero-day exploits identified yearly. It reveals that of 56 zero-day exploits in 2023, 21 targeted Apple. In 2022, Apple accounted for 9 of 41 zero-day exploits, and 14 of 69 in 2021. Before that, the numbers were much lower. Though tempting, it’s difficult to draw any overall conclusions about why the numbers have skyrocketed in the last three years. If you’re interested in why that is, read the extensive blog post by Maddie Stone of Google’s Threat Analysis Group that recaps the situation in 2022.
From the article:
Adam is in good company:
From original article:
Please explain: How does updating Sonoma 14.1.2 affect Monterey 12.x or Ventura 13.x?
Updating Safari is what protects Monterey and Ventura.
ok, thanks.
What is this malarkey with having to authenticate iCloud in addition to regular authentication after installing the patch? Doesn’t happen on iOS. But happened already for the 2nd time on Sonoma.
It must be something with your account / Mac, because I just installed the update and did not have to re-authenticate with my Apple ID. I was plagued by these on iOS, MacOS and iPadOS a few months ago, when it seemed to happen constantly - but not coinciding with any updates.
I’m a bit perturbed by that bar chart… the Apple number should be part of the overall bar, not on top of it, which would make the chart both a bit greener and a bit less tall…
This may be a very foolish question, but could someone explain exactly what is meant by the term “Zero-Day”? Intuitively it appears to refer to an undetected vulnerability - but I’m not sure if that’s right.
Zero-day means that an exploit is already detected being used “in the wild” when the exploit was revealed or detected. Some exploits are discovered but their use is not detected in the wild already.
Generally and especially with macOS, once a patch is delivered there will be people trying to reverse-engineer what was patched and reveal the exploit anyway, so I’d say once a patch is delivered, it’s going to be exploited very soon anyway.
I’d just add that the term refers to the fact that there are zero days available to fix the vulnerability (compare to the Y2K problem, where the need to do something was known well in advance); some organizations or people already have fallen victim to the attack.
Doh! You’re absolutely right, and I’ve regenerated the chart. I spent some time trying to decide if the chart was useful at all, but it seemed to give a better sense of the data than just the numbers.
Thanks @ace, that makes my statistician brain quiver quite a bit less
Thanks to Doug Miller and Halfsmoke. At least I now know what people are talking about. I was a software engineer, but so long ago that the whole ‘exploit’ concept didn’t yet exist!
In the article, I wrote:
So much for that. iOS 16.73 and iPadOS 16.7.3 are now out with fixes for these WebKit vulnerabilities. Install them sooner rather than later.