Apple has pushed out security updates that fix two actively exploited zero-day vulnerabilities (CVE-2023-28205, CVE-2023-28206) in macOS, iOS and iPadOS.
Reported by researchers Clément Lecigne of Google’s Threat Analysis Group (TAG) and Donncha Ó Cearbhaill, the head of Amnesty International’s Security Lab, the vulnerabilities have been exploited in tandem to achieve full device compromise – with the likely (though not confirmed) goal to install spyware on target devices.
About the vulnerabilities
CVE-2023-28205 is a use after free issue in the WebKit browser engine, which is used by Safari and all web browsers on iOS and iPadOS. The flaw can be triggered via maliciously crafted web content and may lead to arbitrary code execution.
CVE-2023-28206 is an out-of-bounds write issue in IOSurfaceAccelerator that can be exploited by a malicious app to execute arbitrary code with kernel privileges.
The former can be used to perform a drive-by, zero-click attack resulting in the silent installation of malware on the target device. The latter allows attackers to escape Safari’s sandbox (i.e., escalate privileges) and achieve full system access.
“Ironically, kernel-level bugs that rely on a booby-trapped app are often not much use on their own against iPhone or iPad users, because Apple’s strict App Store ‘walled garden’ rules make it hard for attackers to trick you installing a rogue app in the first place,” says Paul Ducklin, Sophos Head of Technology for the Asia Pacific region.
“But when attackers can combine a remote browser-busting bug with a local kernel-busting hole, they can sidestep the App Store problem entirely.”
Security updates for Macs, iPhones and iPads are available
Since Friday (April 7), Apple has released security updates for newer macOS (13.3.1), iOS and iPad OS (16.4.1) versions, and then quickly backported the patches to fix the flaws in older (macOS 12.6.5 and 11.7.6, and iOS/iPad 15.7.5) versions.
Users of macOS Monterey and Big Sur must implement the offered OS update AND the Safari update to squash both bugs.
German security researcher and hacker of Apple devices Linus Henze has already published a PoC for CVE-2023-28206 that triggers the flaw and should lead to an exploitable kernel panic.
Unfortunately, there are no details available about the attacks performed by exploiting CVE-2023-28205 and CVE-2023-28206. As noted before, the fact that Amnesty International’s Security Lab was involved in the discovery points to the vulnerabilities being exploited in limited attacks to install spyware on devices belonging to human rights advocates. Nevertheless, all Mac, iPhone and iPad users are advised to upgrade their OSes as soon as possible.
The Cybersecurity and Infrastructure Security Agency has added both vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, and demands that US federal civilian executive branch agencies apply Apple’s updates by May 1, 2023.