CVE-2023-42917

What is Apple WebKit?

WebKit is Apple's open-source browser engine that powers Safari on iPhone, iPad, and Mac, as well as all third-party iOS browsers (which are required by Apple to use WebKit rather than their own rendering engines). WebKit processes and renders web content — HTML, JavaScript, CSS, images, and media — and is one of the most security-critical components of the Apple platform. Vulnerabilities in WebKit can be triggered by visiting a malicious webpage and can lead to code execution within the browser process. Commercial mobile spyware vendors (including NSO Group, Intellexa, and others) have repeatedly developed WebKit exploit chains as the first stage of full-device iOS compromises, as Safari/WebKit is the primary attack surface for delivering browser-based exploits to iPhone users.

Overview

CVE-2023-42917 is a memory corruption vulnerability in Apple's WebKit browser engine that allows a remote attacker to achieve code execution via a specially crafted malicious webpage. Apple patched it on November 30, 2023 in iOS 17.1.2, iPadOS 17.1.2, macOS Sonoma 14.1.2, and Safari 17.1.2, acknowledging in-the-wild exploitation at the time of the patch. CVE-2023-42917 was patched alongside CVE-2023-42916 (a WebKit out-of-bounds read that enables information disclosure) — the two vulnerabilities were likely used together as a combined exploit chain, with CVE-2023-42916 leaking memory addresses needed to reliably exploit the CVE-2023-42917 memory corruption. CISA added both to KEV four days after the patch.

Affected Versions

Note: Third-party iOS browsers (Chrome for iOS, Firefox for iOS, etc.) use WebKit and are affected; updates for those browsers were also released.

Technical Details

CWE-787 (Out-of-bounds Write). WebKit's JavaScript engine (JavaScriptCore) and rendering pipeline process complex web content involving dynamic memory allocation. A memory corruption vulnerability (out-of-bounds write) in WebKit's handling of certain web content allows an attacker who can cause the victim to visit a malicious webpage to write attacker-controlled data outside the bounds of an allocated buffer. By exploiting this to corrupt adjacent memory (such as function pointers or object vtables), the attacker can redirect code execution within the WebKit/Safari process.

CVE-2023-42916 (companion vulnerability) is an out-of-bounds read that leaks heap memory addresses. In a full exploit chain, CVE-2023-42916 is used first to defeat Address Space Layout Randomization (ASLR) by leaking kernel or heap memory addresses, then CVE-2023-42917 is used with the leaked addresses to place shellcode or return-oriented programming payloads at known locations for reliable code execution.

The resulting code execution runs within the WebKit renderer process. A second privilege escalation vulnerability would be needed to escape the WebKit sandbox and achieve OS-level impact — commercial exploit chains typically chain 3–4 vulnerabilities for full device compromise.

Discovery

Clément Lecigne of Google's Threat Analysis Group (TAG) was credited with reporting CVE-2023-42917 and CVE-2023-42916 to Apple. Google TAG specializes in identifying zero-day vulnerabilities used by commercial spyware vendors and nation-state actors in targeted attacks.

Exploitation Context

Google TAG's discovery and Apple's in-the-wild acknowledgment place CVE-2023-42917 squarely in the commercial spyware threat model — zero-day WebKit vulnerabilities are a foundational component of iOS full-chain exploits deployed by vendors such as NSO Group (Pegasus), Intellexa (Predator), and Paragon (Graphite). These chained exploits are delivered via single malicious webpage visits (one-click) or in zero-click variants via iMessage or other no-interaction attack vectors in more advanced campaigns.

The November 2023 timing follows a year of Apple actively patching multiple WebKit zero-days — a sustained attacker investment in maintaining browser exploit chains as spyware delivery vectors.

Remediation

1. Update iOS and iPadOS to 17.1.2 or later immediately (Settings → General → Software Update).
2. Update macOS to Sonoma 14.1.2 or later, and update Safari if running on macOS Ventura or Monterey.
3. Enable automatic updates on all Apple devices (Settings → General → Software Update → Automatic Updates) to minimize the window between patch release and device protection.
4. For high-risk individuals (journalists, activists, government employees, executives): consider enabling Apple's Lockdown Mode (Settings → Privacy & Security → Lockdown Mode) — it significantly restricts WebKit functionality to reduce the WebKit attack surface, at the cost of some web features.
5. Be cautious about clicking links from unknown senders in any communication channel — WebKit exploits typically require visiting a malicious URL.