US government orders its workers to update their iPhones immediately

They have until May to address two zero-days

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

US government workers owningAppledevices have until May 1 to apply the latest patch and protect their endpoints from potential compromise.

BleepingComputer recently reported the Cybersecurity and Infrastructure Agency (CISA) ordering federal agencies to apply a patch fixing CVE-2023-28206 and CVE-2023-28205 for iPhones, Mac computers, and iPad devices.

Allegedly, the flaws are being actively exploited in the wild, to give threat actors full access to the target devices. “Apple is aware of a report that this issue may have been actively exploited,” the Cupertino giant said in an advisory published with the fixes.

Many affected devices

One is an IOSurface out-of-bounds write vulnerability that allowed threat actors to corrupt data, crash apps and devices, and remotely execute code. The Worst case scenario is that a threat actor could pusha maliciousapp allowing them to execute arbitrary code with kernel privileges on the device.

The other is a WebKit with similar consequences: data corruption and arbitrary code execution via a victim’s visit to a malicious website, resulting in remote code execution.

The flaws were addressed in the release of iOS 16.4.1, iPadOS 16.4.1, macOS Ventura 13.3.1, andSafari16.4.1, so if you’re worried about these vulnerabilities, make sure to bring your systems to the latest version as soon as possible.

Apple Safari patched to fix potentially dangerous zero-day flaws>Apple just patched a pair of dangerous iOS and macOS security issues, so update now>Here’s our list of the best identity theft protection tools around

Apple released a list of vulnerable hardware, which included all iPad Pros and macOS Ventura devices, as well as iPad, iPad Mini and iPad Air devices - the first two from the 5th generation onwards and the latter from the 3rd generation onwards. Smartphones from the iPhone 8 onwards are also affected.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

The company did say it was aware of threat actors abusing the zero-days in the wild, but did not discuss the details. The media speculates that the attackers might be state-sponsored, given the fact that the flaws were discovered by researchers usually hunting for government-sponsored players.

The researchers that found the flaws are Clément Lecigne ofGoogle’s Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International’s Security Lab. The flaws were apparently being used as part of an exploit chain.

Via:BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

TP-Link Archer BE3600 Wi-Fi 7 Router review

Ulefone Armor Pad 3 Pro rugged tablet review

Lego will let you build Sir Ernest Shackleton’s iconic lost ship, the Endurance, in its next Icons set