Apple released emergency updates to fix recently disclosed zero-day bugs on older devices

Apple released updates to backport patches addressing two actively exploited zero-day vulnerabilities in older iPhones, iPads, and Macs.

Apple has released emergency updates to backport security patches that address two actively exploited zero-day flaws also affecting older iPhones, iPads, and Macs.

On April 7, 2023, Apple has released emergency security updates to address two actively exploited zero-day vulnerabilities, tracked as CVE-2023-28205 and CVE-2023-28206, impacting iPhones, Macs, and iPads.

Impacted devices include:

• iPhone 8 and later,
• iPad Pro (all models),
• iPad Air 3rd generation and later,
• iPad 5th generation and later,
• iPad mini 5th generation and later,
• and Macs running macOS Ventura.

The zero-day CVE-2023-28205 is a use after free issue that resides in the WebKit, its exploitation may lead to arbitrary code execution. An attacker can trigger the flaw by tricking the victims into loading maliciously crafted web pages. The IT giant addressed the flaw with improved memory management.

The zero-day CVE-2023-28206 is an out-of-bounds write issue that resides in the IOSurfaceAccelerator. The company addressed the flaw with improved input validation.

Apple addressed the zero-day issue with the release of macOS Ventura 13.3.1, iOS 16.4.1, iPadOS 16.4.1, and Safari 16.4.1.

Both vulnerabilities were reported by Clément Lecigne of Google’s Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International’s Security Lab.

On April 10, 2023, US Cybersecurity and Infrastructure Security Agency (CISA) added the two vulnerabilities to its Known Exploited Vulnerabilities catalog.

Today, Apple extended the security updates to the following devices with the release of iOS 15.7.5 and iPadOS 15.7.5, macOS Monterey 12.6.5, and macOS Big Sur 11.7.6:

• iPhone 6s (all models),
• iPhone 7 (all models),
• iPhone SE (1st generation),
• iPad Air 2,
• iPad mini (4th generation),
• iPod touch (7th generation),
• and Macs running macOS Monterey and Big Sur.

Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections:

• The Teacher – Most Educational Blog
• The Entertainer – Most Entertaining Blog
• The Tech Whizz – Best Technical Blog
• Best Social Media Account to Follow (@securityaffairs)

Please nominate Security Affairs as your favorite blog.

Nominate here: https://docs.google.com/forms/d/e/1FAIpQLSfaFMkrMlrLhOBsRPKdv56Y4HgC88Bcji4V7OCxCm_OmyPoLw/viewform

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Apple)