Apple has released security updates to patch a pair of zero-day vulnerabilities said to have been exploited in attacks against iOS and macOS devices.
The first zero-day flaw (CVE-2023-28206) is described as an out-of-bounds write issue within the IOSurfaceAccelerator component. The vulnerability can be exploited by a local application to execute arbitrary code with kernel privileges.
The second flaw (CVE-2023-28205) is a use-after-free issue in WebKit. It allows a remote hacker execute arbitrary code on the system by tricking the victim into visiting a specially crafted website.
CVE-2023-28206 was addressed with improved memory validation and CVE-2023-28205 with improved memory management, according to Apple’s advisory.
As always, the tech giant withheld further details on said vulnerabilities only confirming that it is aware of reports that these issues may have been actively exploited.
The updates are available in iOS 16.4.1, iPadOS 16.4.1, macOS Ventura 13.3.1, and Safari 16.4.1.
Last month, Google’s Threat Analysis Group (TAG) detailed two distinct highly targeted spyware campaigns that used zero-day vulnerabilities and known but unpatched flaws in Android, iOS and Chrome to infect targets’ devices with commercial spyware.