Apple has released updates for two zero-day vulnerabilities used to attack iPhone, iPad, and Mac devices.
“Apple is aware of the following reports: [these issues] It may have been actively exploited,” the tech giant wrote in a security advisory published last Friday.
The first patched flaw (CVE-2023-28206) was an out-of-bounds write issue in IOSurfaceAccelerator that could allow an app to execute arbitrary code with kernel privileges. Apple said the issue was resolved with improved input validation.
“The IOSurfaceAccelerator framework is used in many iOS and MacOS applications that require high-performance graphics processing, such as video editors, games, and augmented reality applications,” said Krishna Vishnu, vice president of product strategy at Zimperium. Krishna Vishnubhotla explains.
“Since IOSurfaceAccelerator provides low-level access to graphics hardware resources, exploiting vulnerabilities in the framework could allow an attacker to manipulate graphics resources, intercept or modify data, or cause the device to crash. It is possible that
The second vulnerability (CVE-2023-28205) is a use-after-free flaw in WebKit that allows data corruption or arbitrary code execution when reclaiming freed memory. Apple says they fixed the bug by improving memory management.
“WebKit is the core software component of macOS and iOS that renders web pages and runs JavaScript code in the Safari web browser and other applications that use WebKit,” Vishnubhotla said.
“A vulnerability in WebKit could allow an attacker to take control of a device’s web browsing capabilities and steal sensitive user data, such as login credentials and other personal information. can be injected into web pages or launch phishing attacks to trick users into revealing sensitive information.”
Read more about Apple’s zero-day here: Apple fixes actively exploited iPhone zero-day vulnerability
Both vulnerabilities affect macOS Ventura 13.3.1 and iOS and iPadOS 16.4.1 devices. Apple credits Clément Lecigne of Google’s Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International’s Security Lab.
Mike Parkin, senior technical engineer at Vulcan Cyber, commented:
“It is interesting that Amnesty International’s Security Lab was one of the organizations involved in discovering and reporting this issue. was likely deployed by a nation-state attacker.”
Apple’s advisory comes days after Google warned Android users about commercial spyware vendors exploiting zero-day vulnerabilities in mobile devices.
Editorial image credit: Omar Tursic / Shutterstock.com
