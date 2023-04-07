 Skip to main content

PSA: iOS 16.4.1 and macOS 13.3.1 patch two ‘actively exploited’ security vulnerabilities

Avatar for Michael Potuck  | Apr 7 2023 - 10:44 am PT
3 Comments
Apple Security Research

Shortly after releasing new software for iPhone and Mac today with “important bug fixes and security updates,” Apple has detailed the specifics of the security flaws that have been patched. Notably, Apple has shared it has seen reports of them being exploited in the wild.

Apple shared on its security updates page that two flaws (the same ones) were fixed for both iOS and macOS.

The first was an IOSurfaceAccelerator flaw that allowed the possibility for apps to “execute arbitrary code with kernel privileges.” The second was a WebKit flaw that could see the processing of malicious code also leading to arbitrary code execution.

For both flaws, Apple says it is “aware of a report that this issue may have been actively exploited” so get these updates installed as soon as possible to be on the safe side.

Here are the full details:

IOSurfaceAccelerator

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.

Description: An out-of-bounds write issue was addressed with improved input validation.

CVE-2023-28206: Clément Lecigne of Google’s Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International’s Security Lab

WebKit

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Description: A use after free issue was addressed with improved memory management.

WebKit Bugzilla: 254797
CVE-2023-28205: Clément Lecigne of Google’s Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International’s Security Lab

Add 9to5Mac to your Google News feed. 

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Check out 9to5Mac on YouTube for more Apple news:

Comments

Guides

Security

Security

Author

Avatar for Michael Potuck Michael Potuck

Michael is an editor for 9to5Mac. Since joining in 2016 he has written more than 3,000 articles including breaking news, reviews, and detailed comparisons and tutorials.

Michael Potuck's favorite gear

Satechi USB-C Charger (4 ports)

Satechi USB-C Charger (4 ports)

Really useful USB-C + USB-A charger for home/work and travel.

Apple Leather MagSafe Wallet

Apple Leather MagSafe Wallet

My slim wallet of choice for iPhone 12