Apple is warning about a pair of zero-day vulnerabilities in iOS that hackers have been actively exploiting, probably to hack iPhones.
The company today released patches for the previously unknown vulnerabilities, which also affect macOS Ventura and partly target WebKit, the engine used across iOS browsers, including Safari.
Apple revealed few details about the zero-day attacks, as usual. But the patch notes(Opens in a new window) say researchers at Google’s Threat Analysis Group and Amnesty International discovered the flaws, which suggests the hackers exploiting the flaws may have been targeting human rights workers.
In a tweet(Opens in a new window), Amnesty International researcher Donncha Ó Cearbhaill confirmed the vulnerabilities were found “in the wild,” and can be chained together to exploit iOS devices.
The first flaw, CVE-2023-28205, involves the browser engine Webkit. Apple says a hacker can trigger Webkit to execute rogue computer code if the browser engine is fed “maliciously crafted web content.”
The second flaw, CVE-2023-28206, involves IOSurfaceAccelerator(Opens in a new window), a more obscure iOS component. Exploiting this flaw can allow an app to also execute rogue computer code, but with full privileges over the system’s software.
Hence, it looks like a hacker could have exploited the zero-day vulnerabilities to hijack an iPhone. It’s possible the attackers did so by circulating phishing messages or websites rigged with the malicious crafted content.
Recommended by Our Editors
Apple has rolled out patches to protect iPhone 8 and later devices, along with applicable iPads and Mac products. A fix has also been released(Opens in a new window) for the Safari browser. But on the Mac side, the company only released a patch for macOS Ventura, not earlier versions such as Monterey or Big Sur. Whether the zero-day flaws can ensnare these software versions remains unclear.
To update(Opens in a new window) your iPhone, go Settings > General > Software Update. The device can also update automatically if you’ve toggled on automatic updates. The patches will arrive through iOS 16.4.1 and iPadOS 16.4.1.
Mac users can update(Opens in a new window) their hardware by going to the Apple menu icon in the corner of the screen, picking System preferences and selecting Software Update. The patch is coming through macOS Ventura 13.3.1.
Like What You’re Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Hits: 0
