8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Apple on Friday released security updates for iOS, iPadOS, macOS, and Safari web browser to address a pair of zero-day flaws that are being exploited in the wild.
The two vulnerabilities are as follows -
Apple said it addressed CVE-2023-28205 with improved memory management and the second with better input validation, adding itβs aware the bugs βmay have been actively exploited.β
Credited with discovering and reporting the flaws are ClΓ©ment Lecigne of Googleβs Threat Analysis Group (TAG) and Donncha Γ Cearbhaill of Amnesty Internationalβs Security Lab.
Details about the two vulnerabilities have been withheld in light of active exploitation and to prevent more threat actors from abusing them.
The updates are available in version iOS 16.4.1, iPadOS 16.4.1, macOS Ventura 13.3.1, and Safari 16.4.1. The fixes also span a wide range of devices -
Apple has patched three zero-days since the start of the year. In February, Apple addressed another actively exploited zero-day (CVE-2023-23529) in WebKit that could result in arbitrary code execution.
The development also comes as Google TAG disclosed that commercial spyware vendors are leveraging zero-days in Android and iOS to infect mobile devices with surveillance malware.
Apple, on April 10, 2023, backported patches for the two actively exploited flaws to include older iPhones, iPads, and Macs. The updates are available for the following devices -
Found this article interesting? Follow us on Twitter ο and LinkedIn to read more exclusive content we post.