Recently Apple has released security patches for fixing 2 new zero-day vulnerabilities that can exploit to compromise the security of iPhones, Macs, and iPads.
Apple is aware of the report that this issue may have been actively exploited the company said when describing the issue in a security advisory published on Friday.
The first security issue watch tracked as CVE-2023-28206 in an IOSurfaceAccelerator out-of-bound write that leads to the corruption of data, crash, or code execution.
Successful exploitation can allow an attacker to execute arbitrary code with kernel privileges on the victim’s device with the help of a maliciously crafted application.
Another zero-day vulnerability is tracked as CVE-2023-28205 which is a WebKit used after free weakness that allows data corruption or arbitrary code execution when reusing freed memory.
This vulnerability can be exploited by tricking the victim into loading a malicious web page under the attacker’s control, which could lead to arbitrary code execution on the victim’s device.
These zero-day vulnerabilities are tracked on iOS 16.4.1, iPadOS 16.4.1, macOS Ventura 13.3.1, and Safari 16.4.1 with improved input validation and memory management.
Apple released a list of affected devices that is quite extensive and it includes:
- iPhone 8 and later,
- iPad Pro (all models),
- iPad Air 3rd generation and later,
- iPad 5th generation and later,
- iPad mini 5th generation and later,
- and Macs running macOS Ventura.
// 01 Apples Fixed 3 zero-days since the start of the year
Even though Apple says it’s aware of in-the-wild exploitation reports, the company is yet to publish information regarding these attacks.
However, it turned out that the two issues had been disclosed after being discovered used in the wild as part of an attack chain by Clément Lecigne of Google’s Threat Analysis Group and Donncha Cearbhaill of Amnesty International’s Security Lab.
Both organizations regularly disclose campaigns exploiting zero-day bugs abused by government-sponsored threat actors to deploy commercial spyware on the smartphones and computers of politicians, journalists, dissidents, and other high-risk individuals worldwide.
Last week, Google TAG and Amnesty International exposed two recent series of attacks using exploit chains of Android, iOS, and Chrome zero-day and n-day flaws to deploy mercenary spyware.
While the zero-days patched today were most likely only used in highly-targeted attacks, installing these emergency updates as soon as possible is highly recommended to block potential attack attempts.
In February, Apple addressed another WebKit zero-day (CVE-2023-23529) exploited in attacks to trigger OS crashes and gain code execution on vulnerable iPhones, iPads, and Macs.
Reference Used from:- Bleepingcomputer