Two New Emergency Patches from Apple
The Updates Fix Vulnerabilities on Older iPhones and iPads.
Apple is backporting two security patches released on Friday. The updated patches address zero-day vulnerabilities on iPhones, iPads, and Macs.
Details About the Vulnerabilities
The first flaw, tracked as CVE-2023-28206, is an out-of-bounds write issue. This bug may permit threat actors to execute arbitrary code with kernel privileges on unpatched devices using malicious apps.
Apple is aware of a report that this issue may have been actively exploited.
Today, Apple addressed the zero-days in iOS 15.7.5 and iPadOS 15.7.5, macOS Monterey 12.6.5, and macOS Big Sur 11.7.6 by improving input validation and memory management.
The following list of devices has reportedly had the issues fixed, according to the tech giant:
- iPhone 6s (all models)
- iPhone 7 (all models)
- iPhone SE (1st generation)
- iPad Air 2
- iPad mini (4th generation)
- iPod touch (7th generation)
- Macs running macOS Monterey and Big Sur
Context for the Flaws
Google’s Threat Analysis Group and Amnesty International’s Security Lab confirmed that the vulnerabilities were exploited in attacks. Researchers warn that these types of flaws are often used by government-backed threat actors to deploy spyware on targets’ devices.
Super proud of our team at @AmnestyTech and everyone who helped in this investigation.
— Donncha Ó Cearbhaill (@DonnchaC) April 7, 2023
Apple patched another WebKit zero-day (CVE-2023-23529) in mid-February. The hackers used the flaw to trigger crashes and gain code execution on iOS, iPadOS, and macOS devices.