Summary: A critical memory corruption vulnerability has been addressed with improved locking, which may lead to arbitrary code execution if exploited. The issue has been fixed in iOS 17.1.2 and iPadOS 17.1.2, macOS Sonoma 14.1.2, and Safari 17.1.2. Apple has acknowledged reports of this issue being exploited before iOS 16.7.1.
Body
In this post, we will discuss the recently discovered memory corruption vulnerability identified as CVE-2023-42917. This vulnerability can lead to arbitrary code execution and was addressed with improved locking implemented by Apple. A patch is available in the form of new software updates for iOS, iPadOS, macOS, and Safari.
A sample piece of vulnerable code illustrating this vulnerability would look like this
void process_web_content(char *content) {
// ...rest of the processing code...
// Memory corruption vulnerability due to lack of proper locking
char *buffer = (char *) malloc(strlen(content) + 1);
strcpy(buffer, content);
// ...rest of the processing code...
}
In this example, the lack of proper locking can potentially lead to memory corruption, allowing attackers to perform arbitrary code execution.
Original References
The official security update, detailing the vulnerability and software updates that address it, can be found from Apple Support here:
- About the security content of iOS 17.1.2 and iPadOS 17.1.2
- About the security content of macOS Sonoma 14.1.2
- About the security content of Safari 17.1.2
Exploit Details
The vulnerability is due to inadequate locking when processing web content in the affected Apple products. This can create a memory corruption situation that may lead to arbitrary code execution.
Apple is aware of reports that this issue may have been exploited in the wild against versions of iOS before iOS 16.7.1. It is essential to update your Apple devices to the latest software versions that include the fix for this vulnerability. We highly recommend updating to iOS 17.1.2 and iPadOS 17.1.2, macOS Sonoma 14.1.2, and Safari 17.1.2, as applicable, to protect your devices from possible exploitation.
Conclusion
CVE-2023-42917 is a significant memory corruption vulnerability that can lead to arbitrary code execution. Apple has addressed this issue with improved locking in iOS 17.1.2 and iPadOS 17.1.2, macOS Sonoma 14.1.2, and Safari 17.1.2. Users must update their devices to these software versions to protect against potential exploitation. Stay informed about software updates and security vulnerabilities to keep your devices secure.
Timeline
Published on: 11/30/2023 23:15:07 UTC
Last modified on: 12/13/2023 03:15:47 UTC