Security News > 2023 > April > Apple rushes fixes for exploited zero-days in iPhones and Macs (CVE-2023-28205, CVE-2023-28206)

Apple has pushed out security updates that fix two actively exploited zero-day vulnerabilities in macOS, iOS and iPadOS. Reported by researchers Clément Lecigne of Google's Threat Analysis Group and Donncha Cearbhaill, the head of Amnesty International's Security Lab, the vulnerabilities have been exploited in tandem to achieve full device compromise - with the likely goal to install spyware on target devices.

CVE-2023-28206 is an out-of-bounds write issue in IOSurfaceAccelerator that can be exploited by a malicious app to execute arbitrary code with kernel privileges.

Security updates for Macs, iPhones and iPads are available.

Since Friday, Apple has released security updates for newer macOS, iOS and iPad OS versions, and then quickly backported the patches to fix the flaws in older versions.

German security researcher and hacker of Apple devices Linus Henze has already published a PoC for CVE-2023-28206 that triggers the flaw and should lead to an exploitable kernel panic.

The Cybersecurity and Infrastructure Security Agency has added both vulnerabilities to its Known Exploited Vulnerabilities Catalog, and demands that US federal civilian executive branch agencies apply Apple's updates by May 1, 2023.

News URL

https://www.helpnetsecurity.com/2023/04/11/cve-2023-28205-cve-2023-28206/