Apple updates fix security vulnerabilities

Apple updates fix security vulnerabilities

A significant iOS security update from Apple has been released to address two zero-day flaws that are already being used in the wild. The most recent patches for iOS 16.4.1 and iPadOS 16.4.1 fix code execution vulnerabilities in IOSurfaceAccelerator and WebKit, indicating that a sophisticated attack chain targeting the newest iPhone models was discovered in the wild.

“Apple is aware of a report that this issue may have been actively exploited,” Cupertino says in a barebones advisory that credits Google and Amnesty International with reporting the issue.

The advisory details two distinct problems, CVE-2023-28205 and CVE-2023-28206, which make iPhones and iPads vulnerable to arbitrary code execution attacks.

  • CVE-2023-28205– A use after free issue in WebKit that could lead to arbitrary code execution when processing specially crafted web content.
  • CVE-2023-28206– An out-of-bounds write issue in IOSurfaceAccelerator that could enable an app to execute arbitrary code with kernel privileges.

The IOSurfaceAccelerator flaw, according to Apple, was an out-of-bounds write problem that was fixed with better input validation. With better memory management.

The WebKit problem that allowed arbitrary code to run with kernel privileges via web content has been fixed. The business did not specify if the recently identified exploits are able to get through Apple’s Lockdown Mode feature, which was designed to stop these kinds of attacks.

The iOS patch aligns with Google’s report that commercial spyware companies are utilizing zero-day vulnerabilities to spread surveillance software to mobile devices. One of the two efforts Google this week detailed involved sending a link to the intended victim through SMS to begin the attack. Depending on the target device, the link sent the victim to malicious websites that delivered iOS or Android exploits when they were clicked. Victims were led to trustworthy websites once the exploits were given, probably to avoid arousing suspicion.

Versions of iOS 16.4.1, iPadOS 16.4.1, macOS Sierra 13.3.1, and Safari 16.4.1 all have the updates available. The patches apply to a variety of devices, including,

  • Macs running macOS Big Sur
  • Monterey and Ventura
  • iPhone 8 and later
  • iPad Pro (all models)
  • iPad Air 3rd generation and later
  • iPad 5th generation and later
  • iPad mini 5th generation and later

Source

https://support.apple.com/en-us/HT213725

https://thehackernews.com/2023/04/apple-releases-updates-to-address-zero.html

Recently,

3CX desktop app faces supply chain attack