Reprinted from TidBITS by permission; reuse governed by Creative Commons
license BY-NC-ND 3.0. TidBITS has offered years of thoughtful commentary
on Apple and Internet topics. For free email subscriptions and access to the
entire TidBITS archive, visit http://www.tidbits.com/


WebKit Zero-Day Vulnerabilities Prompt iOS 17.1.2, iPadOS 17.1.2, macOS 14.1.2,
                               and Safari 17.1.2

   Adam Engst

   In response to two zero-day vulnerabilities'those found in the
   wild'identified in WebKit by Clément Lecigne of Google's Threat
   Analysis Group, Apple has released [1]iOS 17.1.2 and iPadOS 17.1.2,
   [2]macOS 14.1.2 Sonoma, and [3]Safari 17.1.2 for macOS 12 Monterey and
   macOS 13 Ventura. In one of the vulnerabilities, processing Web content
   could disclose sensitive information; the other could lead to arbitrary
   code execution. The company doesn't list any other changes.

   Apple says these vulnerabilities may have been exploited against
   versions of iOS and iPadOS before 16.7.1, suggesting that the current
   iOS 16.7.2 and iPadOS 16.7.2 aren't vulnerable.

   Although no one has published additional details, these vulnerabilities
   were likely used only against high-value targets because zero-day
   exploits are too valuable to waste against low-value targets like most
   of us. As a result, you don't have to drop everything to install these
   updates, but I encourage you to install them the next time it's
   convenient.

   I'm surprised Apple didn't use its Rapid Security Response approach for
   the iOS, iPadOS, and macOS updates (see '[4]What Are Rapid Security
   Responses and Why Are They Important?' 2 May 2023). A couple of WebKit
   zero-day fixes would seem to be a perfect fit. Apple's hesitation may
   be related to the fact that the last Rapid Security Response release
   didn't go well (see '[5]Rapid Security Responses for iOS/iPadOS 16.5.1
   (c) and macOS Ventura 13.4.1 (c),' 13 July 2023).

   If it seems like Apple has been releasing a lot of fixes for zero-day
   vulnerabilities this year, you're not wrong. Google's Project Zero
   maintains a [6]0day "In the Wild" spreadsheet that tracks all the
   zero-day exploits identified yearly. It reveals that of 56 zero-day
   exploits in 2023, 21 targeted Apple. In 2022, Apple accounted for 9 of
   41 zero-day exploits, and 14 of 69 in 2021. Before that, the numbers
   were much lower. Though tempting, it's difficult to draw any overall
   conclusions about why the numbers have skyrocketed in the last three
   years. If you're interested in why that is, read [7]the extensive blog
   post by Maddie Stone of Google's Threat Analysis Group that recaps the
   situation in 2022.

   

References

   Visible links
   1. https://support.apple.com/en-us/HT214031
   2. https://support.apple.com/en-us/HT214032
   3. https://support.apple.com/en-us/HT214033
   4. https://tidbits.com/2023/05/02/what-are-rapid-security-responses-and-why-are-they-important/
   5. https://tidbits.com/2023/07/13/rapid-security-responses-for-ios-ipados-16-5-1-a-and-macos-ventura-13-4-1-a-2/
   6. https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/view#gid=0
   7. https://security.googleblog.com/2023/07/the-ups-and-downs-of-0-days-year-in.html

   Hidden links:
   8. https://tidbits.com/wp/../uploads/2023/12/Project-Zero-exploits-Dec-2023.png

.