Apple has released emergency updates to backport security patches released on Friday, addressing two actively exploited zero-day flaws also affecting older iPhones, iPads, and Macs.
“Apple is aware of a report that this issue may have been actively exploited,” the company said in security advisories published on Monday.
The first (tracked as CVE-2023-28206) is an out-of-bounds write weakness in IOSurfaceAccelerator that enables threat actors to execute arbitrary code with kernel privileges on targeted devices via maliciously crafted apps.
The second zero-day (CVE-2023-28205) is a WebKit use after free that can let threat actors execute malicious code on compromised iPhones, Macs, or iPads after tricking their targets into loading malicious web pages.
Today, Apple addressed the zero-days in iOS 15.7.5 and iPadOS 15.7.5, macOS Monterey 12.6.5, and macOS Big Sur 11.7.6 by improving input validation and memory management.
The company says the bugs are now also patched on the following list of devices:
- iPhone 6s (all models),
- iPhone 7 (all models),
- iPhone SE (1st generation),
- iPad Air 2,
- iPad mini (4th generation),
- iPod touch (7th generation),
- and Macs running macOS Monterey and Big Sur.
The flaws were reported by security researchers with Google’s Threat Analysis Group and Amnesty International’s Security Lab, who discovered them being exploited in attacks as part of an exploit chain.
Both organizations often report on government-backed threat actors who use similar tactics and vulnerabilities to install spyware onto the devices of high-risk individuals worldwide, such as journalists, politicians, and dissidents.
For instance, they recently shared details on campaigns abusing two exploit chains targeting Android, iOS, and Chrome bugs to install commercial surveillance malware.
CISA also ordered federal agencies to patch their devices against these two security vulnerabilities, known as being actively exploited in the wild to hack iPhones, Macs, and iPads.
In mid-February, Apple patched another WebKit zero-day (CVE-2023-23529) that was in attacks to trigger crashes and gain code execution on vulnerable iOS, iPadOS, and macOS devices.