Shortly after releasing new software for iPhone and Mac today with “important bug fixes and security updates,” Apple has detailed the specifics of the security flaws that have been patched. Notably, Apple has shared it has seen reports of them being exploited in the wild.
Apple shared on its security updates page that two flaws (the same ones) were fixed for both iOS and macOS.
The first was an IOSurfaceAccelerator flaw that allowed the possibility for apps to “execute arbitrary code with kernel privileges.” The second was a WebKit flaw that could see the processing of malicious code also leading to arbitrary code execution.
For both flaws, Apple says it is “aware of a report that this issue may have been actively exploited” so get these updates installed as soon as possible to be on the safe side.
Here are the full details:
IOSurfaceAccelerator
Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
Impact: An app may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.
Description: An out-of-bounds write issue was addressed with improved input validation.
CVE-2023-28206: Clément Lecigne of Google’s Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International’s Security Lab
WebKit
Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
Description: A use after free issue was addressed with improved memory management.
WebKit Bugzilla: 254797
CVE-2023-28205: Clément Lecigne of Google’s Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International’s Security Lab
FTC: We use income earning auto affiliate links. More.
Comments