Apple Patched Two New Zero-days That Were Exploited to Hack iPhones and macOS

Apple has recently taken swift action to patch two zero-day vulnerabilities that posed a potential threat of exploitation in cyberattacks. 

The vulnerabilities have been successfully fixed in emergency security updates released by Apple to safeguard its devices, such as iPhones, Macs, and iPads, against potential breaches.

One of the most alarming revelations is that Apple may have already known the exploitation of these zero-day vulnerabilities in the wild.

Since we all know that Apple always follows a strict curriculum while handling or making public any technical details regarding zero-day flaws.

Experts from Amnesty International and Google’s Threat Analysis Group (TAG) have identified these two zero-day vulnerabilities:-

• Clément Lecigne from TAG
• Donncha Ó Cearbhaill from Amnesty International

Apple Zero-day Flaws

The two zero-day vulnerabilities were tracked as follows:-

• CVE-2023-28206: It’s an IOSurfaceAccelerator out-of-bounds write, and it could lead to:-

• Data corruption
• A crash
• Code execution

The successful exploitation of CVE-2023-28206 will enable an attacker to gain kernel privileges using a maliciously crafted application and execute arbitrary code on the target’s devices.

• CVE-2023-28205: It’s a WebKit used after free weakness, and while reusing freed memory, it could lead to:-

• Data corruption
• Arbitrary code execution

The successful exploitation of CVE-2023-28205 enables the threat actors to deceive targets into downloading malicious web pages under their control, potentially resulting in the execution of arbitrary code on compromised devices.

While apart from this, it has been confirmed by security analysts that hackers exploiting these two vulnerabilities tend to focus their attacks on human rights workers.

Even these two zero-day vulnerabilities could be chained together with other security flaws in the wild to exploit iOS devices. 

One of the most concerning issues is that several users will remain vulnerable to these zero-day flaws since the threat actors are actively exploiting these zero-day flaws before any patches have been released.

Vulnerable Devices

It appears that Apple has provided quite a comprehensive list of vulnerable devices, and these devices include:-

• iPhone 8 and later
• iPad Pro (all models)
• iPad Air 3rd generation and later
• iPad 5th generation and later
• iPad mini 5th generation and later
• Macs running macOS Ventura

Fix

Apple released several emergency security updates in an attempt to address these two zero-day vulnerabilities, and here below, we have mentioned them:-

• iOS 16.4.1
• iPadOS 16.4.1
• macOS Ventura 13.3.1
• Safari 16.4.1

Cybersecurity researchers have urged users to immediately update their devices to prevent any potential breach or exploitation.

Struggling to Apply The Security Patch in Your System? – 

Related Read:

• Apple Privilege Escalation Bug Let Attacker Execute Arbitrary Code
• Apple WebKit Zero-Day Vulnerability Exploited to Hack iPhones, iPads, and Macs
• Apple Fixes New Kernel Zero-Day Bug That Attacks iPhones, iPads Remotely
• A 5-Year-Old Bug in Apple Safari Exploited in the Wild – Google Project Zero