Apple has released patches to fix two zero-day vulnerabilities that can be exploited to execute arbitrary code on unpatched iPhones, iPads, and Macs. Apple has received reports that indicate the vulnerabilities are being actively exploited in the wild.
The first flaw is tracked as CVE-2023-28206 and is an out-of-bounds write vulnerability in the IOSurfaceAccelerator framework that is due to insufficient input validation. The IOSurfaceAccelerator framework is used by iOS and MacOS applications that need high-performance graphics processing, including games and augmented-reality applications. The IOSurfaceAccelerator framework provides low-level access to graphics hardware resources. Exploitation of the flaw would allow an attacker to manipulate graphics resources using a maliciously crafted app, which would allow the interception or modification of data, cause a device to crash, and potentially permit the execution of arbitrary code with kernel privileges.
The second vulnerability – CVE-2023-28205 – is a use-after-free vulnerability in WebKit, which is a core software component of macOS and iOS that renders web pages and executes JavaScript code in the Safari web browser and other WebKit-using applications. The vulnerability could be exploited to take control of web browsing, steal sensitive data such as login credentials, corrupt data, inject malicious code into web pages, and achieve arbitrary code execution when reusing freed memory.
Apple did not disclose details about the extent to which the flaws have been exploited or the nature of the attacks; however, it is likely that the flaws are being exploited by nation-state actors rather than cybercriminals as the flaws were reported to Apple by Clément Lecigne of Google’s Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International’s Security Lab. That would suggest the vulnerabilities have been exploited in targeted attacks on journalists, politicians, and dissidents.
The vulnerabilities have been addressed in iOS 15.7.5, iPadOS 15.7.5, macOS Monterey 12.6.5, and macOS Big Sur 11.7.6 by improving input validation to fix CVE-2023-28206 and memory management to fix the CVE-2023-28205 bug.