The two vulnerabilities are as follows -
- CVE-2023-28205 - A use after free issue in WebKit that could lead to arbitrary code execution when processing specially crafted web content.
- CVE-2023-28206 - An out-of-bounds write issue in IOSurfaceAccelerator that could enable an app to execute arbitrary code with kernel privileges.
Apple said it addressed CVE-2023-28205 with improved memory management and the second with better input validation, adding it's aware the bugs "may have been actively exploited."
Credited with discovering and reporting the flaws are Clément Lecigne of Google's Threat Analysis Group (TAG) and Donncha Ó Cearbhaill of Amnesty International's Security Lab.
Details about the two vulnerabilities have been withheld in light of active exploitation and to prevent more threat actors from abusing them.
The updates are available in version iOS 16.4.1, iPadOS 16.4.1, macOS Ventura 13.3.1, and Safari 16.4.1. The fixes also span a wide range of devices -
- iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
- Macs running macOS Big Sur, Monterey, and Ventura
Apple has patched three zero-days since the start of the year. In February, Apple addressed another actively exploited zero-day (CVE-2023-23529) in WebKit that could result in arbitrary code execution.
The development also comes as Google TAG disclosed that commercial spyware vendors are leveraging zero-days in Android and iOS to infect mobile devices with surveillance malware.
Apple Expands Patches to Older Devices
Apple, on April 10, 2023, backported patches for the two actively exploited flaws to include older iPhones, iPads, and Macs. The updates are available for the following devices -
- iOS 15.7.5 and iPadOS 15.7.5 - iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)
- macOS Big Sur 11.7.6 and Monterey 12.6.5 (It's worth noting that the update only addresses CVE-2023-28206.)