Apple released security updates for its iOS, iPadOS, macOS, and Safari web browsers on Friday to address two zero-day vulnerabilities in the wild.
The two vulnerabilities are:
- CVE-2023-28205 – A use-after-free issue in WebKit that could lead to arbitrary code execution when processing specially crafted web content.
- CVE-2023-28206 – An out-of-bounds write issue in IOSurfaceAccelerator that could allow an app to execute arbitrary code with kernel privileges.
Apple said it improved memory management to address CVE-2023-28205, and second, improved input validation, acknowledging that the bug “could be actively exploited.” I added that there is.
The flaw was discovered and reported by Clément Lecigne of Google’s Threat Analysis Group (TAG) and Donncha Ó Cearbhaill of Amnesty International’s Security Lab.
Details about the two vulnerabilities have been withheld in light of their active exploitation and to prevent further exploitation by attackers.
The update is available for versions iOS 16.4.1, iPadOS 16.4.1, macOS Ventura 13.3.1, and Safari 16.4.1. The fix also spans a wide range of devices –
- iPhone 8 or later, iPad Pro (all models), iPad Air 3rd generation or later, iPad 5th generation or later, iPad mini 5th generation or later
- Macs running macOS Big Sur, Monterey, and Ventura
Apple has patched three zero-days since the beginning of the year. In February, Apple addressed another zero-day (CVE-2023-23529) actively exploited in his WebKit, which could lead to arbitrary code execution.
The development also comes when Google TAG reveals commercial spyware vendors are using zero-days on Android and iOS to infect mobile devices with surveillance malware.
