December 4, 2023

iOS 17.1.1

A series of app icons with cracks in them representing vulnerability

Lookout Coverage and Recommendation for Admins

To ensure your devices are protected, Lookout admins should take the following steps in their Lookout console:

  • Set the default OS Out of Date policy to have a minimum iOS version of 17.1.2. They can then choose whether to alert the user that the device is out of compliance or block access to work apps until iOS is updated.
  • Enable Lookout Phishing & Content Protection (PCP) to protect mobile users from malicious phishing campaigns that are built to exploit these vulnerabilities in order to phish credentials or deliver malicious apps to the device.


Apple recently disclosed two critical zero-day vulnerabilities in iOS 17.1.1, which affect all older iOS versions as well, relating to the WebKit engine that supports Safari. It should be noted that the total number of zero-days affecting Apple devices is now over 20 for this year. CISA has included these vulnerabilities in its Known Exploited Vulnerabilities (KEV) catalog and are requiring government agencies to have the patches in place by December 25th, 2023. The two vulnerabilities are:

  • CVE-2023-42916: Could allow attackers access to sensitive information on the device by exploiting an out-of-bounds read weakness.
  • CVE-2023-42917: Could allow attackers to gain arbitrary code execution capabilities through a memory corruption bug by delivering maliciously crafted webpages.  

The list of Apple devices that could be exposed through this vulnerability is extensive. Not including variations of each model such as storage and connectivity options, there are 30 different Apple device types that could be vulnerable:

  • iPhone XS and later (10 models)
  • iPad Pro 12.9-inch 2nd generation and later (5 models)
  • iPad Pro 10.5-inch
  • iPad Pro 11-inch 1st generation and later (4 models) 
  • iPad Air 3rd generation and later (3 models)
  • iPad 6th generation and later (5 models)
  • iPad mini 5th generation and later (2 models)

Lookout Analysis

Each of these vulnerabilities present unique challenges associated with the memory of the vulnerable device. While details about how these vulnerabilities are being exploited in the wild are currently scarce, it’s likely that they are used in tandem to gain entry to a device that lands on a malicious webpage. CVE-2023-42916 could be used to leak the location of something specific in the device’s memory, which is frequently done when preparing for the next step in an attack. In this case, it would be to exploit CVE-2023-42917 which would allow for code execution in the context of the Webkit engine’s process. WebKit is the browser engine that is used by any web browser on an iOS and iPadOS device including Safari, Chrome, Firefox, and Edge.

Depending on the attacker’s goals, their most likely course of action from this point would be to exfiltrate data from the current environment or escalate their own privileges in order to execute additional attacks on the target device. This could range from additional data exfiltration to more advanced surveillanceware, but regardless of the end goal, attacks like this rely on malicious content being loaded by WebKit. 

While Apple does a good job building a secure ecosystem, zero-days and phishing attacks are two weaknesses that affect every mobile device regardless of who manufactures it or what operating system it runs. To help combat these problems, Lookout provides multilayered protection for devices that are exploitable through multiple vectors and could be compromised.



Cloud & Endpoint Security

Lookout is a cybersecurity company that makes it possible for tens of millions of individuals, enterprises and government agencies to be both mobile and secure. Powered by a dataset of virtually all the mobile code in the world -- 40 million apps and counting -- the Lookout Security Cloud can identify connections that would otherwise go unseen and predict and stop mobile attacks before they do harm. The world’s leading mobile network operators, including AT&T, Deutsche Telekom, EE, KDDI, Orange, Sprint, T-Mobile and Telstra, have selected Lookout as its preferred mobile security solution. Lookout is also partnered with such enterprise leaders as AirWatch, Ingram Micro, Microsoft, and MobileIron. Headquartered in San Francisco, Lookout has offices in Amsterdam, Boston, London, Sydney, Tokyo, Toronto and Washington, D.C.

Platform(s) Affected
Entry Type
Threat Guidances
Threat Type
Platform(s) Affected
Threat Guidances
A woman using her phone and laptop on a train ride.

Lookout Mobile Endpoint Security

Stop Cyberattacks Before They Start With Industry-Leading Threat Intelligence.

Advanced mobile Endpoint Detection & Response powered by data from 185M+ apps and 200M+ devices on iOS, Android, ChromeOS.