Apple
released
updates
to
backport
patches addressing
two
actively
exploited
zero-day
vulnerabilities
in
older
iPhones,
iPads,
and
Macs.
Apple
has
released
emergency
updates
to
backport
security
patches that
address
two
actively
exploited
zero-day
flaws
also
affecting
older
iPhones,
iPads,
and
Macs.
On
April
7,
2023,
Apple
has
released
emergency
security
updates
to
address
two
actively
exploited
zero-day
vulnerabilities,
tracked
as
CVE-2023-28205
and
CVE-2023-28206,
impacting
iPhones,
Macs,
and
iPads.
Impacted
devices
include:
-
iPhone
8
and
later, -
iPad
Pro
(all
models), -
iPad
Air
3rd
generation
and
later, -
iPad
5th
generation
and
later, -
iPad
mini
5th
generation
and
later, -
and
Macs
running
macOS
Ventura.
The
zero-day
CVE-2023-28205
is
a
use
after
free issue
that
resides
in
the
WebKit,
its
exploitation
may
lead
to
arbitrary
code
execution.
An
attacker
can
trigger
the
flaw
by
tricking
the
victims
into
loading
maliciously
crafted
web
pages.
The
IT
giant
addressed
the
flaw
with
improved
memory
management.
The
zero-day
CVE-2023-28206
is
an
out-of-bounds
write
issue that
resides
in
the
IOSurfaceAccelerator.
The
company
addressed
the
flaw
with
improved
input
validation.
Apple
addressed
the
zero-day
issue
with
the
release
of
macOS
Ventura
13.3.1,
iOS
16.4.1,
iPadOS
16.4.1,
and
Safari
16.4.1.
Both
vulnerabilities
were
reported
by
Clément
Lecigne
of
Google’s
Threat
Analysis
Group
and
Donncha
Ó
Cearbhaill
of
Amnesty
International’s
Security
Lab.
On
April
10,
2023,
US
Cybersecurity
and
Infrastructure
Security
Agency
(CISA)
added
the
two
vulnerabilities
to
its
Known
Exploited
Vulnerabilities
catalog.
Today,
Apple
extended
the
security
updates
to
the
following
devices
with
the
release
of
iOS
15.7.5
and
iPadOS
15.7.5, macOS
Monterey
12.6.5,
and macOS
Big
Sur
11.7.6:
-
iPhone
6s
(all
models), -
iPhone
7
(all
models), -
iPhone
SE
(1st
generation), -
iPad
Air
2, -
iPad
mini
(4th
generation), -
iPod
touch
(7th
generation), -
and
Macs
running
macOS
Monterey
and
Big
Sur.
Please
vote
for
Security
Affairs
(https://securityaffairs.com/)
as
the
best
European
Cybersecurity
Blogger
Awards
2022
–
VOTE
FOR
YOUR
WINNERS
Vote
for
me
in
the
sections:
-
The
Teacher
–
Most
Educational
Blog -
The
Entertainer
–
Most
Entertaining
Blog -
The
Tech
Whizz
–
Best
Technical
Blog -
Best
Social
Media
Account
to
Follow
(@securityaffairs)
Please
nominate
Security
Affairs
as
your
favorite
blog.
Nominate
here: https://docs.google.com/forms/d/e/1FAIpQLSfaFMkrMlrLhOBsRPKdv56Y4HgC88Bcji4V7OCxCm_OmyPoLw/viewform
Follow
me
on
Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking,
Apple)