Apple has released security updates for Apple iOS 16.4.1, iPadOS 16.4.1, macOS Ventura 13.3.1 and Safari 16.4.1, with fixes for two zero-day vulnerabilities.
A remote attacker could exploit some of these vulnerabilities to take control of unpatched systems.
Zero days
The iOS 16.4.1 and iPadOS 16.4.1 security update fixed two zero-day vulnerabilities (CVE-2023-28205 and CVE-2023-28206) under active exploit in the wild.
CVE-2023-28206 affects IOSurfaceAccelerator and could allow a malicious app to execute arbitrary code with kernel privileges. Regarding CVE-2023-28205, this WebKit flaw could allow the processing of maliciously crafted web content which may lead to arbitrary code execution.Â
Apple is aware of a report that each of these issues may have been actively exploited.
Clément Lecigne of Google’s Threat Analysis Group (TAG) and Donncha Ó Cearbhaill of Amnesty International’s Security Lab have been credited with discovering and reporting the vulnerabilities.
Just over a week ago, Lecigne wrote in a TAG report how spyware vendors used zero-days and n-days against Android, iOS and Chrome in recent campaigns that were both limited and highly targeted.
Each of these updates are available for iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later.
Similarly, Apple updated the same two zero-day IOSurfaceAccelerator and WebKit flaws in the security update macOS Ventura 13.3.1.
Finally, Apple released Safari 16.4.1 security update that addressed one of the WebKit zero-days (CVE-2023-28205) and is available for macOS Big Sur and macOS Monterey.
Readers can check out additional details by visiting Apple’s Security Updates page.