US government orders its workers to update their iPhones immediately

Apple logo on the side of a building
(Image credit: zomby / Shutterstock)

US government workers owning Apple devices have until May 1 to apply the latest patch and protect their endpoints from potential compromise.

BleepingComputer recently reported the Cybersecurity and Infrastructure Agency (CISA) ordering federal agencies to apply a patch fixing CVE-2023-28206 and CVE-2023-28205 for iPhones, Mac computers, and iPad devices. 

Allegedly, the flaws are being actively exploited in the wild, to give threat actors full access to the target devices. "Apple is aware of a report that this issue may have been actively exploited," the Cupertino giant said in an advisory published with the fixes. 

Many affected devices

One is an IOSurface out-of-bounds write vulnerability that allowed threat actors to corrupt data, crash apps and devices, and remotely execute code. The Worst case scenario is that a threat actor could push a malicious app allowing them to execute arbitrary code with kernel privileges on the device. 

The other is a WebKit with similar consequences: data corruption and arbitrary code execution via a victim's visit to a malicious website, resulting in remote code execution.

The flaws were addressed in the release of iOS 16.4.1, iPadOS 16.4.1, macOS Ventura 13.3.1, and Safari 16.4.1, so if you’re worried about these vulnerabilities, make sure to bring your systems to the latest version as soon as possible.

Apple released a list of vulnerable hardware, which included all iPad Pros and macOS Ventura devices, as well as iPad, iPad Mini and iPad Air devices - the first two from the 5th generation onwards and the latter from the 3rd generation onwards. Smartphones from the iPhone 8 onwards are also affected.

The company did say it was aware of threat actors abusing the zero-days in the wild, but did not discuss the details. The media speculates that the attackers might be state-sponsored, given the fact that the flaws were discovered by researchers usually hunting for government-sponsored players.

The researchers that found the flaws are Clément Lecigne of Google's Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International's Security Lab. The flaws were apparently being used as part of an exploit chain.

Via: BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.