Apple just patched a pair of dangerous iOS and macOS security issues, so update now

Apple logo on the side of a building
(Image credit: zomby / Shutterstock)

Apple has fixed two zero-day flaws that were being actively exploited against users with iPhones, Macs, and iPad devices. 

The flaws could have allowed threat actors to take over victim's devices, giving them full access to the endpoints, experts said. 

"Apple is aware of a report that this issue may have been actively exploited," the Cupertino giant said in an advisory published with the fixes. 

Long list of affected devices

The two flaws are being tracked as CVE-2023-28206 and CVE-2023-28205. The former is an IOSurface out-of-bounds write vulnerability that allowed threat actors to corrupt data, crash apps, and devices, and remotely execute code. Worst case scenario - a threat actor could push a malicious app allowing them to execute arbitrary code with kernel privileges on the target endpoint.

The latter is a WebKit use after free vulnerability with similar consequences - data corruption and arbitrary code execution. For this flaw, the worst-case scenario is to trick victims into visiting a malicious website, resulting in remote code execution.

The flaws were addressed in the release of iOS 16.4.1, iPadOS 16.4.1, macOS Ventura 13.3.1, and Safari 16.4.1, so if you’re worried about these vulnerabilities, make sure to bring your systems to the latest version as soon as possible.

Apple released a list of vulnerable devices, including the iPhone 8 and newer, all iPad Pros, iPad Air 3d generation and newer, iPad 5th generation and newer,iPad mini 5th generation and newer, and all macOS Ventura devices. 

Apple did say it was aware of threat actors abusing the zero-days in the wild, but did not discuss the details. However, BleepingComputer speculates that the attackers might be state-sponsored, given the fact that the flaws were discovered by researchers usually hunting for government-sponsored players.

The researchers that found the flaws are Clément Lecigne of Google's Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International's Security Lab. The flaws were being used as part of an exploit chain, it was said.

Via: BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.