Apple released emergency updates to fix recently disclosed zero-day bugs on older devices

Apple
released
updates
to
backport
patches addressing
two
actively
exploited
zero-day
vulnerabilities
in
older
iPhones,
iPads,
and
Macs.

Apple
has
released
emergency
updates
to
backport
security
patches that
address

two
actively
exploited
zero-day
flaws
also
affecting
older
iPhones,
iPads,
and
Macs.

On
April
7,
2023,
Apple
has
released
emergency
security
updates
to
address
two
actively
exploited
zero-day
vulnerabilities,
tracked
as
CVE-2023-28205
and
CVE-2023-28206,
impacting
iPhones,
Macs,
and
iPads.

Impacted
devices
include:

• iPhone
  8
  and
  later,
• iPad
  Pro
  (all
  models),
• iPad
  Air
  3rd
  generation
  and
  later,
• iPad
  5th
  generation
  and
  later,
• iPad
  mini
  5th
  generation
  and
  later,
• and
  Macs
  running
  macOS
  Ventura.

The
zero-day
CVE-2023-28205
is
a
use
after
free issue
that
resides
in
the
WebKit,
its
exploitation
may
lead
to
arbitrary
code
execution.
An
attacker
can
trigger
the
flaw
by
tricking
the
victims
into
loading
maliciously
crafted
web
pages.
The
IT
giant
addressed
the
flaw
with
improved
memory
management.

The
zero-day
CVE-2023-28206
is
an
out-of-bounds
write
issue that
resides
in
the
IOSurfaceAccelerator.
The
company
addressed
the
flaw
with
improved
input
validation.

Apple
addressed
the
zero-day
issue
with
the
release
of
macOS
Ventura
13.3.1,
iOS
16.4.1,
iPadOS
16.4.1,
and
Safari
16.4.1.

Both
vulnerabilities
were
reported
by
Clément
Lecigne
of
Google’s
Threat
Analysis
Group
and
Donncha
Ó
Cearbhaill
of
Amnesty
International’s
Security
Lab.

On
April
10,
2023,
US
Cybersecurity
and
Infrastructure
Security
Agency
(CISA)


added
the
two
vulnerabilities
to
its
Known
Exploited
Vulnerabilities
catalog.

Today,
Apple
extended
the
security
updates
to
the
following
devices
with
the
release
of

iOS
15.7.5
and
iPadOS
15.7.5, macOS
Monterey
12.6.5,
and macOS
Big
Sur
11.7.6:

• iPhone
  6s
  (all
  models),
• iPhone
  7
  (all
  models),
• iPhone
  SE
  (1st
  generation),
• iPad
  Air
  2,
• iPad
  mini
  (4th
  generation),
• iPod
  touch
  (7th
  generation),
• and
  Macs
  running
  macOS
  Monterey
  and
  Big
  Sur.

Please
vote
for
Security
Affairs
(https://securityaffairs.com/)
as
the
best
European
Cybersecurity
Blogger
Awards
2022
–
VOTE
FOR
YOUR
WINNERS

Vote
for
me
in
the
sections:

• The
  Teacher
  –
  Most
  Educational
  Blog
• The
  Entertainer
  –
  Most
  Entertaining
  Blog
• The
  Tech
  Whizz
  –
  Best
  Technical
  Blog
• Best
  Social
  Media
  Account
  to
  Follow
  (@securityaffairs)

Please
nominate
Security
Affairs
as
your
favorite
blog.

Nominate
here: https://docs.google.com/forms/d/e/1FAIpQLSfaFMkrMlrLhOBsRPKdv56Y4HgC88Bcji4V7OCxCm_OmyPoLw/viewform

Follow
me
on
Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking,
Apple)

Share
On

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts