Apple consumers have been dealt a blow in a world where digital security is of the utmost importance due to the recent revelation of two zero-day vulnerabilities that impact a variety of devices. Researchers Clément Lecigne of Google’s Threat Analysis Group and Donncha o Cearbhaill of Amnesty International’s Security Lab were the ones who found the vulnerabilities, which have been given the identifiers CVE-2023-28205 and CVE-2023-28206. Both vulnerabilities have been actively exploited, which raises the stakes for consumers and puts Apple on high alert.
The use-after-free vulnerability known as CVE-2023-28205 was discovered in WebKit.
It is the first vulnerability to be discussed. It is possible to exploit it by misleading targets into loading malicious web pages under the control of attackers, which may result in the execution of malware on computers that have been infiltrated. Visiting a website that has been infiltrated is all it takes for hackers to take control of your device, to put it in layman’s words.
The processing of online material that has been designed maliciously has the potential to result in the execution of arbitrary code, which grants attackers unauthorized access to your device. Apple has improved its memory management in order to solve this use after free problem.
IOSurfaceAccelerator Out-of-Bounds Write Vulnerability, also known by its CVE number 2023-28206
The second flaw, identified as CVE-2023-28206, is a write problem that occurs when the boundaries of IOSurfaceAccelerator are exceeded. This vulnerability may be exploited by an application in order to execute arbitrary code with kernel privileges, which gives attackers the maximum degree of access possible to the target device.
If an application takes advantage of this vulnerability, it may be able to execute arbitrary code while maintaining kernel privileges. This would effectively give attackers control of the device you are using. By strengthening input validation, Apple has remedied the out-of-bounds write problem that previously existed.
Apple has said in its security warnings that the company is aware of a report that suggests this vulnerability may have been actively exploited.
The business issued critical security upgrades in February to address an actively exploited zero-day vulnerability that was tracked as CVE-2023-23529 and affects iOS, iPadOS, and macOS. The security vulnerability, which is a type confusion problem in WebKit, was fixed by the technology giant by implementing enhanced checks.
By manipulating victims into accessing maliciously designed online content, an attacker may accomplish arbitrary code execution and take control of the victim’s system.
Apple has moved quickly to remedy these zero-day vulnerabilities after discovering them. The latest versions of iOS (16.4.1), iPadOS (16.4.1), macOS Yosemite (13.3.1), and Safari (16.4.1) provide enhancements to input validation and memory management. Consumers may secure their devices by upgrading to one of these operating systems.
Apple has confirmed that a very large number of products are included on the list of those impacted. This includes the following:
iPhone 8 and subsequent models
iPad Pro (all models)
iPad Air models starting with the 3rd generation and after, iPad models starting with the 5th generation and later, iPad mini models starting with the 5th generation and later, and Macs running macOS Vista.
Users are strongly encouraged to promptly upgrade their devices in order to guard against the possibility of being exploited. Always remember that maintaining a proactive approach to cybersecurity and keeping all of your devices up to date with the most recent software patches and updates is very necessary.
Information security specialist, currently working as risk infrastructure specialist & investigator.
15 years of experience in risk and control process, security audit support, business continuity design and support, workgroup management and information security standards.