Apple has released Security updates Friday for iOS, iPadOS, macOS, and the Safari web browser to address a pair of zero-day flaws that are being exploited in the real world.
The two vulnerabilities are as follows:
- CVE-2023-28205: a usage problem after release in WebKit which could lead to arbitrary code execution when processing specially created web content.
- CVE-2023-28206: a writing problem out-of-bounds in IOSurfaceAccelerator that could allow an app to execute malicious code with kernel privileges.
The “Big Apple” said it fixed CVE-2023-28205 with improved memory management and the latter with improved input validation, adding it was aware the bugs “may have been actively exploited.”
Clément Lecigne of Google’s Threat Analysis Group (TAG) and Donncha Ó Cearbhaill of Amnesty International’s Security Lab are credited with discovering and reporting the flaws.
Details about the two vulnerabilities were withheld in light of active exploitation and to prevent other threat actors from abusing them.
The following Apple devices need to be updated ASAP
The updates are available in iOS 16.4.1, iPadOS 16.4.1, macOS Ventura 13.3.1 and Safari 16.4.1. The fixes also affect a wide range of devices:
- iPhone 8 and later, iPad Pro (all models), iPad Air third generation and later, iPad fifth generation and later, and iPad mini fifth generation and later.
- Macs running macOS Big Sur, Monterey, and Ventura.
Apple has fixed three zero-days since the beginning of the year. In February, Apple fixed another actively exploited zero-day (CVE-2023-23529) in WebKit which could lead to malicious code execution.
Development also comes while Google TAG has revealed that commercial spyware vendors are leveraging zero-days in Android and iOS to infect mobile devices with surveillance malware.
#Apple #zeroday #Update #iPadOS #MacOS #iOS #Safari