AdminApple fixed two zero-day vulnerabilities that were actively exploited against iPhone, Mac and iPad users.
Experts said the vulnerabilities could have allowed cybercriminals to take control of the victim’s devices, giving them full access to endpoints.
“Apple is aware of the report that this issue may have been actively exploited,” the Cupertino giant said in an advisory (opens in a new tab) published with corrections.
Long list of affected devices
These two vulnerabilities are tracked as CVE-2023-28206 and CVE-2023-28205. The first is the IOSurface write-out-of-bounds vulnerability that allowed cybercriminals to corrupt data, crash applications and devices, and remotely execute code. Worst case scenario – A cybercriminal can push a malicious application, allowing them to execute arbitrary code with kernel privileges on the targeted endpoint.
The latter is the use of WebKit after the vulnerability has been released with similar consequences – data corruption and arbitrary code execution. For this vulnerability, the worst case scenario is for victims to be tricked into visiting a malicious website, resulting in remote code execution.
The vulnerabilities have been fixed in iOS 16.4.1, iPadOS 16.4.1, macOS Ventura 13.3.1 and Safari 16.4.1, so if you are concerned about these vulnerabilities, make sure you update your systems to the latest version as soon as possible.
Apple has published a list of affected devices, including the iPhone 8 and later, all iPad Pro, iPad Air 3d generation and later, iPad 5th generation and later, iPad mini 5th generation and later, and all macOS Ventura devices.
Apple said it is aware of cybercriminals exploiting zero day in the wild, but did not elaborate on the details. However, BleepingComputer speculates that the attackers may be state-sponsored, given that the vulnerabilities were discovered by researchers who usually prey on government-sponsored gamers.
The researchers who found the vulnerabilities include Clément Lecigne of Google’s Threat Intelligence Group and Donncha Ó Cearbhaill of Amnesty International’s Security Lab. The vulnerabilities were said to be used as part of an exploit chain.
By: Beeping Computer (opens in a new tab)
