Go to listing page

CISA Warns About Two New iPhone Flaws Exploited in the Wild

CISA Warns About Two New iPhone Flaws Exploited in the Wild
The CISA updated its Known Exploited Vulnerabilities (KEV) catalog with two new security flaws affecting iPads, iPhones, and Macs. The agency warned that these flaws are being actively exploited in the wild and can allow attackers to launch arbitrary code attacks.

About the flaws

  • The first bug is tracked as an IOSurfaceAccelerator out-of-bounds write vulnerability (CVE-2023-28206). It can allow attackers to use maliciously crafted apps to execute malicious code with kernel privileges on targeted devices. 
  • The second flaw is a Webkit use-after-free bug (CVE-2023-28205) and can enable threat actors to perform code execution attacks on hacked devices by tricking targets into loading webpages under attackers’ control.

Affected products

The list of affected devices includes:
  • iPhone 8 and later versions;
  • iPad Pro;
  • iPad Air 3rd generation and later versions;
  • iPad mini 5th generation and later versions; and
  • Macs running macOS Ventura.

According to Google’s TAG and Amnesty International’s Security Lab, the cited flaws were exploited as a part of an exploit chain. However, the information around that is yet to be published.

Active exploitation of n-day flaws 

A similar spyware campaign was discovered last month that involved exploiting several zero-day and n-day flaws against Android, iOS, and Chrome. The attackers leveraged flaws to install commercial spyware and malicious apps on the devices of high-profile individuals, including politicians, journalists, and dissidents worldwide.

Wrapping up

The CISA has ordered federal agencies to patch the security flaws by May 1. Apple has addressed the two zero-day flaws in iOS 16.4.1, iPadOS 16.4.1, macOS Ventura 13.3.1, and Safari 16.4.1 by improving input validation and memory management.
Cyware Publisher

Publisher

Cyware