On Friday, Apple released emergency security updates to address two new zero-day vulnerabilities. These weaknesses could be exploited to hack iPhones as well as Macs and iPads. According to the company, the list of affected devices is large, including gadgets launched in 2015.
There are two distinct flaws, which expose the security of Apple devices to code execution attacks.
The first one appeared in IOSurfaceAccelerator as CVE-2023-28206. Apple considered it an out-of-bounds write issue, which could lead to data corruption, crashing, or code execution. If criminals performed the exploit correctly, they would be able to use a malicious application to run arbitrary code with kernel privileges on certain devices.
The second vulnerability came as CVE-2023-28205. It was found to be a bug in WebKit, which allows data corruption or arbitrary code execution when reusing freed memory. Hackers could exploit this weakness by tricking targets into loading malicious web pages, which could lead to code execution on compromised systems.
Both zero-day flaws were addressed by apple in iOS 16.4.1, iPadOS 16.4.1, macOS Ventura 13.3.1 and Safari 16.4.1 updates. At support page post of the company on the subject, the following statement appeared:
Apple is aware of a report that this issue may have been actively exploited.
Finally, the American company gave credit for the discovery to Google and the Amnesty International Security Laboratory.
Crashes affected iPhone 8 and other devices
Apple said that many of its devices suffered from the vulnerabilities, making the list have products launched since 2015, as is the case with the iPad Pro:
- All versions of iPad Pro;
- iPad Air 3rd generation and later;
- iPad 5th generation and later;
- iPad mini 5th generation and later;
- iPhone 8 and later;
- Macs running macOS Ventura.
Apple already patched vulnerability in February
It is worth remembering that another error had already appeared in February for the apple. Issue CVE-2023-23529 was related to WebKit, which could be exploited to trigger operating system crashes and gain code execution on compromised devices.
If hackers were able to use the exploit, it would be possible to execute arbitrary code on devices running vulnerable versions of iOS, iPadOS and macOS after opening a malicious web page.
However, the iPhone owner released the zero-day fix on iOS 16.3.1, iPadOS 16.3.1 and macOS Ventura 13.2.1. As a result, the entire issue received due resolution without much delay.
With information: Bleeping Computer.