Apple has pushed out security updates that fix two actively exploited zero-day vulnerabilities (CVE-2023-28205, CVE-2023-28206) in macOS, iOS and iPadOS.
CVE-2023-28205 is a use after free issue in the WebKit browser engine, which is used by Safari and all web browsers on iOS and iPadOS. The flaw can be triggered via maliciously crafted web content and may lead to arbitrary code execution.
CVE-2023-28206 is an out-of-bounds write issue in IOSurfaceAccelerator that can be exploited by a malicious app to execute arbitrary code with kernel privileges.
The former can be used to perform a drive-by, zero-click attack resulting in the silent installation of malware on the target device. The latter allows attackers to escape Safari’s sandbox (i.e., escalate privileges) and achieve full system access.
What You Should Do
Security updates are available for affected Macs, iPhones and iPads. Here are the updates for newer macOS (13.3.1), iOS and iPad OS (16.4.1) versions. Patches are also available to fix the flaws in older (macOS 12.6.5 and 11.7.6, and iOS/iPad 15.7.5) versions.
Have additional questions? Contact a member of the BMT team.