Security News > 2023 > April > Apple zero-day spyware patches extended to cover older Macs, iPhones and iPads
Simply put, there were zero days during which even the most proactive and cybersecurity conscious users amongst us could have been patched in advance of the crooks.
Just to be clear: the Apple Safari browser uses WebKit for "Processing web content" on all Apple devices, although third-party browsers such as Firefox, Edge and Chromium don't use WebKit on Mac.
We didn't know at the time whether the older macOSes didn't get patched for CVE-2023-28206 because they weren't vulnerable to the kernel bug, or because Apple simply hadn't got the patch ready yet.
Even more worryingly, iOS 15 and iPadOS 15, which are still officially supported, and are indeed all you can run if you have an older iPhone and iPad that can't be upgraded to version 16, didn't get any patches at all.
All supported versions of iOS and iPadOS and of macOS are vulnerable to both of these bugs, and they have now all received patches for both vulnerabilities.
If you have an older iPhone or iPad, you need to get today's update, or else you remain vulnerable to both bugs, as used in the wild in the attack discovered by Amnesty and investigated by Google.
News URL
Related news
- Apple fixes two zero-days used in attacks on Intel-based Macs (source)
- Fraudsters imprisoned for scamming Apple out of 6,000 iPhones (source)
- New LightSpy Spyware Version Targets iPhones with Increased Surveillance Tactics (source)
- Apple Releases Urgent Updates to Patch Actively Exploited Zero-Day Vulnerabilities (source)
- Apple fixes 2 zero-days exploited to breach macOS systems (CVE-2024-44309, CVE-2024-44308) (source)
- Apple Patches Two Zero-Day Attack Vectors (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-04-10 | CVE-2023-28206 | Out-of-bounds Write vulnerability in Apple Ipados and Iphone OS An out-of-bounds write issue was addressed with improved input validation. | 8.6 |