Apple releases emergency security updates to address zero-day vulnerabilities on iPhones, Macs, and iPads
Apple Releases Emergency Security Updates to Address Two Zero-Day Vulnerabilities
Apple has released emergency security updates to address two new zero-day vulnerabilities that have been exploited to compromise iPhones, Macs, and iPads. In security advisories published on Friday, the company warned of a report that these issues may have been actively exploited.
The first vulnerability, tracked as CVE-2023-28206, is an IOSurfaceAccelerator out-of-bounds write that can lead to data corruption, a crash, or code execution. Attackers can use a maliciously crafted app to execute arbitrary code with kernel privileges on targeted devices, once they have successfully exploited the flaw.
The second zero-day vulnerability (CVE-2023-28205) is a WebKit use-after-free weakness, which can result in data corruption or arbitrary code execution when reusing freed memory. Attackers can trick targets into loading malicious web pages under their control, leading to code execution on compromised systems.
See Also: So you want to be a hacker?
Offensive Security, Bug Bounty Courses
Apple responds to in-the-wild exploitation reports with critical security updates
To address these vulnerabilities, Apple has released iOS 16.4.1, iPadOS 16.4.1, macOS Ventura 13.3.1, and Safari 16.4.1, which include improved input validation and memory management. The list of affected devices is quite extensive, including iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later, and Macs running macOS Ventura.
Although Apple has acknowledged reports of exploitation in the wild, it has not published any information regarding these attacks. However, Apple revealed that Clément Lecigne of Google’s Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International’s Security Lab discovered the two flaws exploited in the wild as part of an exploit chain. Both organizations regularly disclose campaigns exploiting zero-day bugs abused by government-sponsored threat actors to deploy commercial spyware on the smartphones and computers of politicians, journalists, dissidents, and other high-risk individuals worldwide.
Super proud of our team at @AmnestyTech and everyone who helped in this investigation.
Today, Apple published an emergency update for all iPhones to patch an exploit chain which we, together with @_clem1 (Google TAG) discovered in the wild. pic.twitter.com/KLMYjqi3lK
— Donncha Ó Cearbhaill (@DonnchaC) April 7, 2023
Trending: Offensive Security Tool: Mythic
In February, Apple addressed another WebKit zero-day (CVE-2023-23529), which had been exploited in attacks to trigger OS crashes and gain code execution on vulnerable iPhones, iPads, and Macs. While the zero-days patched recently were most likely used in highly targeted attacks, it is highly recommended to install these emergency updates as soon as possible to block potential attack attempts.
Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?
If you want to express your idea in an article contact us here for a quote: [email protected]
Source: thehackernews.com
Recent News
Offensive Security & Ethical Hacking Course
Begin the learning curve of hacking now!
Information Security Solutions
Find out how Pentesting Services can help you.
