Pierluigi Paganini
April 11, 2023
Apple has released emergency updates to backport security patches that address two actively exploited zero-day flaws also affecting older iPhones, iPads, and Macs.
On April 7, 2023, Apple has released emergency security updates to address two actively exploited zero-day vulnerabilities, tracked as CVE-2023-28205 and CVE-2023-28206, impacting iPhones, Macs, and iPads.
Impacted devices include:
The zero-day CVE-2023-28205 is a use after free issue that resides in the WebKit, its exploitation may lead to arbitrary code execution. An attacker can trigger the flaw by tricking the victims into loading maliciously crafted web pages. The IT giant addressed the flaw with improved memory management.
The zero-day CVE-2023-28206 is an out-of-bounds write issue that resides in the IOSurfaceAccelerator. The company addressed the flaw with improved input validation.
Apple addressed the zero-day issue with the release of macOS Ventura 13.3.1, iOS 16.4.1, iPadOS 16.4.1, and Safari 16.4.1.
Both vulnerabilities were reported by Clément Lecigne of Google’s Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International’s Security Lab.
On April 10, 2023, US Cybersecurity and Infrastructure Security Agency (CISA) added the two vulnerabilities to its Known Exploited Vulnerabilities catalog.
Today, Apple extended the security updates to the following devices with the release of iOS 15.7.5 and iPadOS 15.7.5, macOS Monterey 12.6.5, and macOS Big Sur 11.7.6:
Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections:
Please nominate Security Affairs as your favorite blog.
Nominate here: https://docs.google.com/forms/d/e/1FAIpQLSfaFMkrMlrLhOBsRPKdv56Y4HgC88Bcji4V7OCxCm_OmyPoLw/viewform
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Apple)
