Apple Releases Update to Address Zero-Day Shortage on iOS, iPadOS, macOS, and Safari
Apple on Friday released a security update for iOS, iPadOS, macOSAnd Safari web browser to address a pair of zero-day weaknesses being exploited in the wild.
The two vulnerabilities are as follows –
- CVE-2023-28205 – A use after problem free in WebKit which can lead to arbitrary code execution when processing custom-built web content.
- CVE-2023-28206 – A Out of bounds writing problem in IOSurfaceAccelerator that allows applications to execute arbitrary code with kernel privileges.
Apple says it’s addressing CVE-2023-28205 with improved memory management and the latter with better input validation, adding that the bug “may have been actively exploited.”
Credited for discovering and reporting the vulnerability are Clément Lecigne of Google’s Threat Analysis Group (TAG) and Donncha Ó Cearbhaill of Amnesty International’s Security Lab.
Details about the two vulnerabilities have been kept private due to active exploitation and to prevent more threat actors from abusing them.
The update is available in iOS 16.4.1, iPadOS 16.4.1, macOS Ventura 13.3.1, and Safari 16.4.1 versions. The fix also spans a wide range of devices –
- iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
- Macs running macOS Big Sur, Monterey, and Ventura
Apple has patched three zero days since the start of the year. In February, Apple addressed an actively exploited zero-day (CVE-2023-23529) in WebKit that could result in arbitrary code execution.
The development also comes as Google TAG disclosed that commercial spyware vendors are leveraging zero-days on Android and iOS to infect mobile devices with surveillance malware.