Apple Inc. has released patches for two unpatched vulnerabilities being exploited in the wild that target Apple devices, including iPhones, iPads and Mac computers.
The first vulnerability, designated CVE-2023-28205, is described by Apple as an issue in WebKit that allowed for the processing of maliciously crafted web content that could lead to arbitrary code execution. The second, CVE-2023-28206, is described as an issue with IOSurfaceAccelerator that would allow an app to execute arbitrary code with kernel privileges.
Both vulnerabilities were discovered by Clément Lecigne of Google LLC’s Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International’s Security Lab. Apple also noted Friday that it ‘ aware of a report that both “may have been actively exploited.”
The two vulnerabilities targeted iOS 16.4.1, iPadOS 16.4.1, macOS 13.3.1 and Safari 16.4.1, subsequently affecting iPhone 8 and later models, all iPad Pro models, iPad Air third generation or later, iPad and iPad Mini – fifth generation or later and Macs running macOS Ventura.
Apple released patches for the vulnerabilities on Friday, but given the Easter weekend, they were initially mostly overlooked. In its advisory, Apple recommends that users keep their software updated to maintain product security.
Worldwide, governments and security advisory firms are also encouraging users to update their products. The Straits Times reported today that the Singapore Computer Emergency Response Team is urging users to install the updates immediately.
Apple didn’t go into depth about what was involved in the vulnerabilities, but Krishna Vishnubhotla, vice president of product strategy at mobile security solutions provider Zimperium Inc., explained to SiliconANGLE what the various components do.
“The IOSurfaceAccelerator framework is used by many iOS and macOS applications that require high-performance graphics processing, such as video editors, games and augmented reality applications,” Vishnubhotla said. “If IOSurfaceAccelerator is exploited, it could potentially allow an attacker to gain unauthorized access to sensitive data or execute malicious code on an iOS device.”
WebKit, the engine under Apple’s Safari browser and used by Apple to render webpages in apps, is much better-known, and Vishnubhotla noted that any security vulnerabilities in the engine can pose a significant risk to users.
“Exploiting a vulnerability in WebKit could allow attackers to take control of the device’s web browsing capabilities and steal sensitive user data, such as login credentials and other personal information,” he said. “It could also allow attackers to inject malicious code into web pages or launch phishing attacks to trick users into revealing sensitive information.”