UPDATE: Apple on Friday released updates for two zero-day vulnerabilities exploited in the wild that were used to attack iPhones, iPads and Macs.
The two zero-days targeted iOS 16.4.1, iPadOS 16.4.1, macOS 13.3.1, and Safari 16.4.1.
On Monday, the Cybersecurity and Infrastructure Security Agency (CISA) added the two zero-days to the agency’s Known Exploited Vulnerabilities (KEV) catalog.
Federal Civilian Branch Agencies (FCEBs) now have until May 1 to patch the two zero-days found in the iPhones, iPads, and Macs specified by Apple.
An Apple advisory last week reported that the first vulnerability — CVE-2023-28206 — was an IOSurfaceAccelerator that could potentially have executed arbitrary code with kernel privileges.
The second vulnerability — CVE-2023-28205 — was a WebKit that processed maliciously crafted web content that could lead to arbitrary code execution.
The affected devices include the following: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later. On the Mac front, all Macs running MacOS Ventura 13.3.1 were affected by both vulnerabilities while all Macs running Safari 16.4.1 over macOS Big Sur and macOS Monterey were affected by the WebKit in CVE-2023-28205.
This was the third zero-day Apple patched since the beginning of the year. In February, Apple addressed another WebKit zero-day — CVE-2023-23529 — that could have triggered OS crashes and gained code execution on iPhones, iPads and Macs.
The last couple of years has seen an increase in the discovery of zero-day vulnerabilities in Apple products, including iOS, MacOS, and Apple’s WebKit, said Christopher Prewitt, chief technology officer at Inversion6. Prewitt said the trend can be largely attributed to the increased interest from attackers seeking to exploit zero-days for financial gain or espionage purposes.
“The availability of exploit marketplaces have made it easier for security researchers and threat actors to discover and sell zero-day vulnerabilities,” said Prewitt. “While Apple continues to improve defenses and remediate findings, attacks and research into these platforms will continue to increase.”
Krishna Vishnubhotla, vice president of product Strategy at Zimperium, explained that the IOSurfaceAccelerator framework has been used by many iOS and macOS applications that require high-performance graphics processing, such as video editors, games and augmented reality applications.
If IOSurfaceAccelerator becomes exploited, Vishnubhotla said it could potentially let an attacker gain unauthorized access to sensitive data or execute malicious code on an iOS device. Since IOSurfaceAccelerator delivers low-level access to graphics hardware resources, exploiting a vulnerability in the framework could give an attacker the ability to manipulate graphics resources, intercept or modify data, or even cause the device to crash.
“Since IOSurfaceAccelerator is widely used in iOS development, it’s likely that a significant number of iOS apps rely on this feature, so the exposure could be well beyond the macOS,” said Vishnubhotla.
The WebKit vulnerability is a core software component of macOS and iOS, responsible for rendering web pages and executing JavaScript code in the Safari web browser and other applications that use WebKit. Vishnubhotla said it’s an open-source project that offers a fast, efficient and customizable framework for building web browsers and other applications that display web content.
“Because WebKit is widely used in macOS and iOS, any security vulnerabilities in the engine can pose a significant risk to users,” said Vishnubhotla. “Exploiting a vulnerability in WebKit could let attackers take control of the device's web browsing capabilities and steal sensitive user data, such as log-in credentials and other personal information. It could also let attackers inject malicious code into web pages or launch phishing attacks to trick users into revealing sensitive information. Apple users should stay vigilant and keep their software up-to-date to mitigate the risk of both exploits.”