Apple has released emergency security updates to address two zero-day vulnerabilities that have already been exploited in the wild. Tracked as CVE-2023-28205 and CVE-2023-28206, they impact a long list of Apple devices, including, but not limited to:
- iPhone 8 and later models
- iPad Pro (all models),
- iPad Air 3rd generation and later models
- iPad 5th generation and later models
- iPad mini 5th generation and later models
- Apple Macs running macOS Ventura
The first flaw, CVE-2023-28206, is an IOSurface Accelerator out-of-bounds write that could result in data corruption, a system crash, or malicious code execution. An attacker would use a maliciously crafted app to run code with kernel privileges on unpatched devices.
The second vulnerability, CVE-20-23-28205, is a WebKit use-after-free-flaw. It risks data corruption or arbitrary code execution when Apple users reuse freed memory. Hackers will need to successfully lure unsuspecting users into loading a carefully crafted malicious web page that could be used to execute code on their devices.
Apple has released updates to address these flaws in the releases of iOS 16.4.1, iPadOS 16.4.1, macOS Ventura 13.3.1, and Safari 16.4.1. Be aware that users are still required to download and install these updates themselves.
Apple is well aware of reports regarding how these zero-day vulnerabilities are being exploited in the real world, but won’t provide extensive information on the vulnerabilities. This is typical of Apple, as the company states in its security advisory that it “doesn’t disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available” to safeguard its users.
What You Should Do
Install the latest security updates as soon as they become available to keep your Apple devices safe.