US
Cybersecurity
and
Infrastructure
Security
Agency
(CISA)
added
two
flaws
in
iPhones,
Macs,
and
iPads
to
its
Known
Exploited
Vulnerabilities
catalog.
U.S.
Cybersecurity
and
Infrastructure
Security
Agency
(CISA)
has
added
the
following
five
new
issues
to
its Known
Exploited
Vulnerabilities
Catalog:
-
CVE-2023-28205
–
Apple
Multiple
Products
WebKit
Use-After-Free
Vulnerability; -
CVE-2023-28206
–
Apple
iOS,
iPadOS,
and
macOS
IOSurfaceAccelerator
Out-of-Bounds
Write
Vulnerability;
This
week
Apple
has
released
emergency
security
updates
to
address
the
above
actively
exploited
zero-day
vulnerabilities
impacting
iPhones,
Macs,
and
iPads.
Impacted
devices
include:
-
iPhone
8
and
later, -
iPad
Pro
(all
models), -
iPad
Air
3rd
generation
and
later, -
iPad
5th
generation
and
later, -
iPad
mini
5th
generation
and
later, -
and
Macs
running
macOS
Ventura.
Both
vulnerabilities
were
reported
by
Clément
Lecigne
of
Google’s
Threat
Analysis
Group
and
Donncha
Ó
Cearbhaill
of
Amnesty
International’s
Security
Lab.
The
zero-day
CVE-2023-28205
is
a
use
after
free issue
that
resides
in
the
WebKit,
its
exploitation
may
lead
to
arbitrary
code
execution.
An
attacker
can
trigger
the
flaw
by
tricking
the
victims
into
loading
maliciously
crafted
web
pages.
“Processing
maliciously
crafted
web
content
may
lead
to
arbitrary
code
execution.
Apple
is
aware
of
a
report
that
this
issue
may
have
been
actively
exploited.” reads
the
advisory.
The
IT
giant
addressed
the
flaw
with
improved
memory
management.
The
zero-day
CVE-2023-28206
is
an
out-of-bounds
write
issue that
resides
in
the
IOSurfaceAccelerator.
“An
app
may
be
able
to
execute
arbitrary
code
with
kernel
privileges.
Apple
is
aware
of
a
report
that
this
issue
may
have
been
actively
exploited.”
reads
the
advisory.
The
company
addressed
the
flaw
with
improved
input
validation.
Apple
addressed
the
zero-day
issue
with
the
release
of
macOS
Ventura
13.3.1,
iOS
16.4.1,
iPadOS
16.4.1,
and
Safari
16.4.1.
According
to Binding
Operational
Directive
(BOD)
22-01:
Reducing
the
Significant
Risk
of
Known
Exploited
Vulnerabilities,
FCEB
agencies
have
to
address
the
identified
vulnerabilities
by
the
due
date
to
protect
their
networks
against
attacks
exploiting
the
flaws
in
the
catalog.
Experts
recommend
also
private
organizations
review
the Catalog and
address
the
vulnerabilities
in
their
infrastructure.
CISA
orders
federal
agencies
to
fix
this
flaw
by May
1st,
2023.
Please
vote
for
Security
Affairs
(https://securityaffairs.com/)
as
the
best
European
Cybersecurity
Blogger
Awards
2022
–
VOTE
FOR
YOUR
WINNERS
Vote
for
me
in
the
sections:
-
The
Teacher
–
Most
Educational
Blog -
The
Entertainer
–
Most
Entertaining
Blog -
The
Tech
Whizz
–
Best
Technical
Blog -
Best
Social
Media
Account
to
Follow
(@securityaffairs)
Please
nominate
Security
Affairs
as
your
favorite
blog.
Nominate
here: https://docs.google.com/forms/d/e/1FAIpQLSfaFMkrMlrLhOBsRPKdv56Y4HgC88Bcji4V7OCxCm_OmyPoLw/viewform
Follow
me
on
Twitter: @securityaffairs and Facebook and Mastodon