Apple Inc. has released patches for two unpatched exploited in the wild vulnerabilities that target Apple devices, including iPhones, iPads, and Mac computers.
The first vulnerability, designated CVE-2023-28205, is described by Apple as an issue in WebKit that allowed processing of maliciously crafted web content that could lead to the execution of arbitrary code. The second, CVE-2023-28206is described as a problem with IOSurfaceAccelerator that would allow an application to execute arbitrary code with kernel privileges.
Both vulnerabilities were discovered by Clément Lecigne of Google LLC’s Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International’s Security Lab. Apple also noted Friday that he is aware of a report that both “may have been actively exploited”.
Both vulnerabilities targeted iOS 16.4.1, iPadOS 16.4.1, macOS 13.3.1, and Safari 16.4.1, subsequently affecting iPhone 8 and later, all iPad Pro models, iPad Air from third generation or later, iPad and iPad Mini – fifth generation or later, and Macs running macOS Ventura.
Apple released patches for the vulnerabilities on Friday, but given the Easter weekend, they were mostly overlooked at first. In his opinionApple recommends that users keep their software up to date to maintain product security.
Around the world, governments and security consulting companies are also encouraging users to update their products. The time of the straits reported today that the Singapore Computer Emergency Response Team is urging users to install updates immediately.
Apple didn’t delve into what was involved in the vulnerabilities, but Krishna Vishnubhotla, vice president of product strategy at the mobile security solution provider Zimperium Inc.explained to SiliconANGLE what the different components do.
“The IOSurfaceAccelerator framework is used by many iOS and macOS applications that require high-performance graphics processing, such as video editors, games, and augmented reality applications,” Vishnubhotla said. “If IOSurfaceAccelerator is exploited, it could potentially allow an attacker to gain unauthorized access to sensitive data or execute malicious code on an iOS device.”
Much better known is WebKit, the engine for Apple’s Safari browser and used by Apple to render web pages in apps, and Vishnubhotla noted that any security vulnerabilities in the engine can pose a significant risk to users.
“Exploitation of a vulnerability in WebKit could allow attackers to take control of the device’s web browsing capabilities and steal sensitive user data, such as login credentials and other personal information,” said he declared. “It could also allow attackers to inject malicious code into web pages or launch phishing attacks to trick users into revealing sensitive information.”