Apple has released emergency updates to backport security patches released on Friday, addressing two actively exploited zero-day flaws also affecting older iPhones, iPads, and Macs.
The first (tracked as CVE-2023-28206) is an out-of-bounds write weakness in IOSurfaceAccelerator that enables threat actors to execute arbitrary code with kernel privileges on targeted devices via maliciously crafted apps.
The second zero-day (CVE-2023-28205) is a WebKit use after free that can let threat actors execute malicious code on compromised iPhones, Macs, or iPads after tricking their targets into loading malicious web pages.
The company says the bugs are now also patched on the following list of devices:
- iPhone 6s (all models),
- iPhone 7 (all models),
- iPhone SE (1st generation),
- iPad Air 2,
- iPad mini (4th generation),
- iPod touch (7th generation),
- and Macs running macOS Monterey and Big Sur.
The flaws were reported by security researchers with Google’s Threat Analysis Group and Amnesty International’s Security Lab, who discovered them being exploited in attacks as part of an exploit chain.
Both organizations often report on government-backed threat actors who use similar tactics and vulnerabilities to install spyware onto the devices of high-risk individuals worldwide, such as journalists, politicians, and dissidents.
CISA also ordered federal agencies to patch their devices against these two security vulnerabilities, known as being actively exploited in the wild to hack iPhones, Macs, and iPads.
In mid-February, Apple patched another WebKit zero-day (CVE-2023-23529) that was in attacks to trigger crashes and gain code execution on vulnerable iOS, iPadOS, and macOS devices.