Last week, Apple issued updates for iOS 16.4.1, iPadOS 16.4.1, macOS 13.3.1, and Safari 16.4.1 to address two high-risk security vulnerabilities that were being exploited by hackers in the wild. These vulnerabilities allowed attackers to execute arbitrary code with kernel privileges, posing a significant threat to affected devices.
However, older devices, such as the iPhone 6s, which can no longer be updated to iOS 16.x, were left vulnerable. To address this issue, Apple has now released iOS 15.x and macOS 11.x/12.x updates for these legacy devices to fix the security flaws.
Users with iPhones or iPads running on iOS 15 should upgrade to iOS 15.7.5 to protect their devices. On the Mac side, Apple has released two updates: macOS Big Sur 11.7.6 and macOS Monterey 12.6.5. Users can update their Macs based on their current operating system version.
Here’s a breakdown of the two vulnerabilities:
CVE-2023-28205: Located in the WebKit engine, this Use-after-Free vulnerability can corrupt data and execute arbitrary code when released memory is reused. Attackers can exploit this flaw by creating malicious web pages and enticing target users to visit them. Successful exploitation could lead to arbitrary code execution on the target device, making this vulnerability highly dangerous.
CVE-2023-28206: This vulnerability is an out-of-bounds write in the IOSurfaceAccelerator, which can lead to data corruption, crashes, or code execution. Attackers can take advantage of this flaw by creating malicious applications and tricking users into installing them on their devices. Once installed, attackers can execute arbitrary code with kernel-level privileges, posing a severe threat to affected users.
Apple’s latest updates demonstrate its commitment to protecting its user base, including those using older devices. Users are encouraged to install these updates promptly to safeguard their devices against potential attacks.