Apple Patching Two 0-Day Vulnerabilities in iOS and macOS
Apple today released updates for iOS and macOS (as well as Safari). The update fixes two vulnerabilities that are already being exploited:
- CVE-2023-28205: This vulnerability could lead to a "zero-click" exploit as a user visits a malicious web page.
- CVE-2023-28206: The first vulnerability "only" provides code execution in the Safari sandbox. But this second vulnerability could be used to escape the sandbox and achieve full system access. We rate this as "important" as it implements a privilege escalation. The full potential of the vulnerability is only realized with a remote code execution vulnerability like CVE-2023-28205.
These two vulnerabilities are likely going to be used together. Both vulnerabilities were reported by the Google TAG and the Amnesty International Security Lab. This indicates that they were used in targeted attacks, likely by state-sponsored spyware. I hope either will provide us with more details.
Safari 16.4.1 | iOS 16.4.1 and iPadOS 16.4.1 | macOS Ventura 13.3.1 |
---|---|---|
CVE-2023-28205 [critical] *** EXPLOITED *** WebKit A use after free issue was addressed with improved memory management. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. |
||
x | x | x |
CVE-2023-28206 [important] *** EXPLOITED *** IOSurfaceAccelerator An out-of-bounds write issue was addressed with improved input validation. An app may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited. |
||
x | x |
---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|
Application Security: Securing Web Apps, APIs, and Microservices | Online | US Eastern | Jan 27th - Feb 1st 2025 |
Comments