Apple has recently released iOS 16.4.1 and iPadOS 16.4.1 updates, which fix two zero-day flaws that were actively exploited against users with iPhones, Macs, and iPad devices. These two flaws, tracked as CVE-2023-28206 and CVE-2023-28205, could have allowed threat actors to take over the victim’s devices and gain full access to their endpoints.
The first flaw, identified as CVE-2023-28206, is related to the IOSurfaceAccelerator component, which is available on iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later. The flaw could allow an app to execute arbitrary code with kernel privileges. Apple has confirmed that this flaw may have been actively exploited.
The second flaw, identified as CVE-2023-28205, is related to the WebKit component, which is also available on the same iOS and iPadOS devices. The flaw could allow maliciously crafted web content to execute arbitrary code, which could also have been actively exploited.
Apple has stated that it is aware of a report suggesting that both of these flaws were being actively exploited. The company has released the updates with the fixes for both flaws and recommended that all users update their devices immediately.
According to Apple’s security advisory, an out-of-bounds write issue was addressed with improved input validation for the IOSurfaceAccelerator flaw. For the WebKit flaw, a use-after-free issue was addressed with improved memory management.
These vulnerabilities were discovered by Clément Lecigne of Google’s Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International’s Security Lab. The details of how the vulnerabilities were exploited have not been disclosed, but it is clear that the attackers had a way to bypass Apple’s security mechanisms.
In conclusion, Apple has fixed two serious zero-day flaws that were actively exploited against its users. These flaws could have allowed attackers to take over victim’s devices and gain full access to their endpoints. It is crucial for all iOS and iPadOS users to update their devices to the latest version as soon as possible to stay protected.