Apple just patched a pair of dangerous iOS and macOS security issues, so update now
Two zero-days were found exploited in the wild
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
Applehas fixed two zero-day flaws that were being actively exploited against users with iPhones, Macs, and iPad devices.
The flaws could have allowed threat actors to take over victim’s devices, giving them full access to theendpoints, experts said.
“Apple is aware of a report that this issue may have been actively exploited,” the Cupertino giantsaid in an advisorypublished with the fixes.
Long list of affected devices
The two flaws are being tracked as CVE-2023-28206 and CVE-2023-28205. The former is an IOSurface out-of-bounds write vulnerability that allowed threat actors to corrupt data, crash apps, and devices, and remotely execute code. Worst case scenario - a threat actor could push amaliciousapp allowing them to execute arbitrary code with kernel privileges on the target endpoint.
The latter is a WebKit use after free vulnerability with similar consequences - data corruption and arbitrary code execution. For this flaw, the worst-case scenario is to trick victims into visiting a malicious website, resulting in remote code execution.
The flaws were addressed in the release of iOS 16.4.1, iPadOS 16.4.1, macOS Ventura 13.3.1, andSafari16.4.1, so if you’re worried about these vulnerabilities, make sure to bring your systems to the latest version as soon as possible.
Apple released a list of vulnerable devices, including the iPhone 8 and newer, all iPad Pros, iPad Air 3d generation and newer, iPad 5th generation and newer,iPad mini 5th generation and newer, and all macOS Ventura devices.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Apple Safari patched to fix potentially dangerous zero-day flaws>There’s a major new security update for iOS and macOS, so update now>Here’s our list of the best identity theft protection tools around
Apple did say it was aware of threat actors abusing the zero-days in the wild, but did not discuss the details. However, BleepingComputer speculates that the attackers might be state-sponsored, given the fact that the flaws were discovered by researchers usually hunting for government-sponsored players.
The researchers that found the flaws are Clément Lecigne ofGoogle’s Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International’s Security Lab. The flaws were being used as part of an exploit chain, it was said.
Via:BleepingComputer
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
Cisco issues patch to fix serious flaw allowing possible industrial systems takeover
Washington state court systems taken offline following cyberattack
Your doctor may have an AI assistant taking notes during your next Zoom call
