Apple's recent zero-days patch is now available for older devices

Apple logo on the side of a building
(Image credit: zomby / Shutterstock)

Apple has now backported a fix for two major zero-days - which are allegedly being exploited in the wild - to older devices. 

Now, all iPhone 6s models and newer, as well as many older iPad models, are protected from two vulnerabilities that were said to give threat actors full access to the vulnerable endpoints.

The two flaws are being tracked as CVE-2023-28206 and CVE-2023-28205. The first is an IOSurface out-of-bounds write vulnerability that allowed threat actors to corrupt data, crash apps and devices, and remotely execute code. Worst case scenario - a threat actor could push a malicious app allowing them to execute arbitrary code with kernel privileges on the target endpoint.

Older smartphones

The second is a WebKit with similar consequences - data corruption and arbitrary code execution. For the exploit, the aim is to trick victims into visiting a malicious website which results in remote code execution.

Now, besides iOS 16.4.1, iPadOS 16.4.1, macOS Ventura 13.3.1, and Safari 16.4.1 being safe from these bugs, updates have also made it to older devices sporting iOS 15.7.5 and iPadOS 15.7.5, macOS Monterey 12.6.5, and macOS Big Sur 11.7.6.

This means that the following devices are now covered: all iPhone 6s models, all iPhone7 models, first generation iPhone SE, iPod Air 2, 4th generation iPad mini, 7th generation iPod touch, and all Macs powered by macOS Monterey and Big Sur.

Apple did say it was aware of threat actors abusing the zero-days, but did not discuss the details. However, BleepingComputer speculates that the attackers might be state-sponsored, given the fact that the flaws were discovered by researchers usually hunting for government-sponsored players.

The researchers that found the flaws are Clément Lecigne of Google's Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International's Security Lab. The flaws were being used as part of an exploit chain, it was said.

Via: BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.