Recently, two new zero-day vulnerabilities were identified and exploited in the wild to compromise Apple devices. These vulnerabilities have been addressed by emergency security updates released recently by Apple.
Here below, we have mentioned the Apple devices that were targeted and could be compromised:-
Apart from this, the most shocking thing is that Apple might have already been aware of the active exploitation of these vulnerabilities in the wild. As usual with Apple, few details about the zero-day attacks were revealed.
The zero-day flaws are tracked as:-
It’s an IOSurfaceAccelerator out-of-bounds write, and it could lead to:-
- Data corruption
- A crash
- Code execution
It’s a WebKit used after free weakness, and while reusing freed memory, it could lead to:-
- Data corruption
- Arbitrary code execution
These zero-day vulnerabilities were identified by security experts from Google’s Threat Analysis Group and Amnesty International:-
- Clément Lecigne from TAG
- Donncha Ó Cearbhaill from Amnesty International
While security analysts affirmed that human rights workers are mainly targeted by hackers exploiting these two vulnerabilities.
Amnesty Intl. researcher Donncha Ó Cearbhaill confirmed via tweet that the discovered vulnerabilities can be chained together to exploit iOS devices and were found “in the wild.”
In addition to being zero-day holes, attackers are already using them before any patches are available, which is alarming.
If the CVE-2023-28206 is exploited successfully, an attacker may be able to execute arbitrary code on the targets’ devices with kernel privileges using a maliciously crafted application.
As a result of CVE-2023-28205, threat actors can exploit targets by deceiving them into downloading malicious web pages controlled by threat actors. As a result, the execution of arbitrary code on compromised systems could occur.
“Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.” Apple says.
The list of affected devices provided by Apple is quite extensive, including the following devices:-
- iPhone 8 and later
- iPad Pro (all models)
- iPad Air 3rd generation and later
- iPad 5th generation and later
- iPad mini 5th generation and later
- and Macs running macOS Ventura
With the add-on of more sophisticated input validation and memory management, these two zero-day vulnerabilities were fixed by Apple in:-
- iOS 16.4.1
- iPadOS 16.4.1
- macOS Ventura 13.3.1
- Safari 16.4.1
While cybersecurity analysts have strongly recommended users immediately install the emergency updates released by Apple. Doing so will prevent potential attacks, even though the zero-days fixed today were probably only utilized in specific, targeted attacks.
Looking For an All-in-One Multi-OS Patch Management Platform? – Try Patch Manager Plus
Warning! Apple Fixes Actively Exploited iOS Zero-Day on iPhones & iPads
Apple New Webkit Zero-day Flaw Used Actively Used in Attacks Against iPhones