Apple releases emergency security updates to patch iPhone, iPad and Mac zero-day flaws
Apple has once again released emergency security updates to fix zero-day vulnerabilities that are being used to attack compromised iPhones, iPads and Macs in the wild.
In a security advisory (opens in new tab) released on Friday (April 7), the Cupertino-based company revealed that it “is aware of a report that this issue may have been actively exploited”. Unlike with other recently discovered zero-day flaws, the ones Apple has patched have already been exploited by hackers in their attacks.
Of these new zero-days, the first flaw (tracked as CVE-2023-28206) is an IOSurfaceAccelearator out-of-bounds write that could lead to corruption of data, crashes or code execution according to BleepingComputer (opens in new tab). However, an attacker could exploit the flaw using a maliciously crafted app to run arbitrary code with kernel privileges on vulnerable devices.
The second zero-day (tracked as CVE-20-23-28205) is a WebKit use after free flaw that allows for data corruption or arbitrary code execution when reusing freed memory. To exploit it, a hacker would need to trick unsuspecting users into loading a malicious web page that could be used to execute code on their devices.
Why Apple is keeping quiet
Both of these zero-day vulnerabilities have now been fixed with the release of iOS 16.4.1, iPadOS 16.4.1, macOS Ventura 13.3.1 and Safari 16.4.1. However, you will still need to download and install these updates yourself.
So far, the list of affected devices is quite long and includes all of the best iPhones from the iPhone 8 on, all models of the iPad Pro, the iPad Air 3rd generation and later, the iPad 5th generation and later, the iPad mini 5th generation and later and any of the best Macs running macOS Ventura.
While Apple is aware of reports about how these zero-days are being used in the wild, the company remains tight-lipped when it comes to details. This is typical of Apple and in its security advisory, it explains that: “For our customers’ protection, Apple doesn’t disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available.”
Another reason why Apple hasn’t said anything yet is that these security flaws are likely…