Apple has released an urgent security update for iOS, iPadOS, macOS, and Safari to address two zero-day vulnerabilities that are currently being exploited in the wild. The first vulnerability, CVE-2023-28205, is a use after free issue in WebKit that could lead to arbitrary code execution when processing specially crafted web content. The second, CVE-2023-28206, is an out-of-bounds write issue in IOSurfaceAccelerator that could allow an app to execute arbitrary code with kernel privileges.
To address the vulnerabilities, Apple has improved memory management and implemented better input validation. The company also acknowledged that these flaws “may have been actively exploited.” The discoveries were credited to Clément Lecigne of Google’s Threat Analysis Group (TAG) and Donncha Ó Cearbhaill of Amnesty International’s Security Lab.
In light of active exploitation, Apple has withheld details about the two vulnerabilities to prevent further exploitation. Users can download the updates in iOS 16.4.1, iPadOS 16.4.1, macOS Ventura 13.3.1, and Safari 16.4.1, and the fixes cover a wide range of devices, including iPhone 8 and later, iPad Pro, iPad Air, iPad, and iPad mini.
This marks the third zero-day flaw that Apple has patched since the start of the year, following a flaw in WebKit in February that could also result in arbitrary code execution. The recent development also coincides with the disclosure by Google’s TAG that commercial spyware vendors are leveraging zero-days in Android and iOS to infect mobile devices with surveillance malware.