Apple has recently fixed two zero-day vulnerabilities that were actively being exploited to target iPhone, iPad, and Mac users. These flaws had the potential to enable attackers to take over devices and access them remotely, according to experts.
The Cupertino giant acknowledged in a recently published advisory that it was aware of reports indicating that the vulnerabilities, tracked as CVE-2023-28206 and CVE-2023-28205, were being actively exploited by threat actors.
The first vulnerability, known as IOSurface out-of-bounds write, enabled attackers to corrupt data, crash applications and devices, and remotely execute code. In the worst-case scenario, a malicious actor could install an app that allowed them to execute arbitrary code with kernel privileges on the endpoint.
The second vulnerability, dubbed WebKit use after free, allowed attackers to execute arbitrary code remotely and result in data corruption. Victims could be tricked into visiting a malicious website, which could lead to remote code execution.
Apple released the fixes for these vulnerabilities in the form of iOS 16.4.1, iPadOS 16.4.1, macOS Ventura 13.3.1, and Safari 16.4.1. The company recommended that all vulnerable systems be updated to the latest version as soon as possible.
Apple has also provided a list of vulnerable devices, including the iPhone 8 and newer, all iPad Pros, iPad Air 3d generation and newer, iPad 5th generation and newer, iPad mini 5th generation and newer, and all macOS Ventura devices.
Clément Lecigne of Google’s Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International’s Security Lab discovered the vulnerabilities as part of an exploit chain. While Apple did not elaborate on who was behind the exploitation of these zero-day vulnerabilities, BleepingComputer suggested that the attackers might be state-sponsored, given the profile of the researchers who discovered the vulnerabilities.
