Apple Releases Updates to Address Zero-Day Flaws in iOS, iPadOS, macOS, and Safari

Apr 08, 2023Ravie LakshmananZero-Day / Endpoint Security

Apple on Friday released security updates for iOS,
iPadOS ^[1], macOS ^[2], and Safari web
browser ^[3] to address a pair of
zero-day flaws that are being exploited in the wild.

The two vulnerabilities are as follows –

CVE-2023-28205 – A use after free issue ^[4]
in WebKit that could lead to arbitrary code execution when
processing specially crafted web content.

CVE-2023-28206 – An out-of-bounds write issue ^[5] in IOSurfaceAccelerator
that could enable an app to execute arbitrary code with kernel
privileges.

Apple said it addressed CVE-2023-28205 with improved memory
management and the second with better input validation, adding it’s
aware the bugs “may have been actively exploited.”

Credited with discovering and reporting the flaws are Clément
Lecigne of Google’s Threat Analysis Group (TAG) and Donncha Ó
Cearbhaill of Amnesty International’s Security Lab.

Details about the two vulnerabilities have been withheld in
light of active exploitation and to prevent more threat actors from
abusing them.

The updates are available in version iOS 16.4.1, iPadOS 16.4.1,
macOS Ventura 13.3.1, and Safari 16.4.1. The fixes also span a wide
range of devices –

iPhone 8 and later, iPad Pro (all models), iPad Air 3rd
generation and later, iPad 5th generation and later, and iPad mini
5th generation and later
Macs running macOS Big Sur, Monterey, and Ventura

Apple has patched three zero-days since the start of the year.
In February, Apple addressed another actively exploited zero-day
(CVE-2023-23529 ^[6]) in WebKit that could
result in arbitrary code execution.

The development also comes as Google TAG disclosed ^[7]
that commercial spyware vendors are leveraging zero-days in Android
and iOS to infect mobile devices with surveillance malware.

Found this article interesting? Follow us on Twitter ^[8]
and LinkedIn ^[9]
to read more exclusive content we post.