Apple has issued an emergency security update for all supported macOS versions, including Big Sur, Monterey, and Ventura. However, only iOS 16 and iPadOS 16 currently have updates available. The updates address two different bugs, both actively exploited and zero-day vulnerabilities. These vulnerabilities could lead to “arbitrary code execution” and a complete system takeover by cybercriminals.
One of the bugs, identified as CVE-2023-28205, is a security flaw in WebKit. It allows cybercriminals to take over any app that uses WebKit, making it a cross-browser problem for mobile Apple devices. The other bug, identified as CVE-2023-28206, is a flaw in Apple’s IOSurfaceAccelerator display code. It enables cybercriminals to inject rogue code into the operating system kernel, giving them access to the entire system.
The bugs were reported by Clément Lecigne of Google’s Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International’s Security Lab. They were most likely discovered by privacy and social justice activists at Amnesty and investigated by incident response handlers at Google. The vulnerabilities can be, and already have been, used to implant spyware.
Apple recommends that all users update their devices immediately to avoid being targeted by cyber attacks. The company has released separate updates for each device. For Macs running Big Sur and Monterey, a patch is available for CVE-2023-28205, while macOS Ventura 13.3.1 covers both bugs. For iPhones and iPads, iOS 16.4.1 and iPadOS 16.4.1 address both vulnerabilities.
In summary, the vulnerabilities are a clear and present danger and should be taken seriously. If not updated, users may be at risk of being targeted by cybercriminals. Apple’s strict App Store rules make it hard for attackers to trick users into installing rogue apps. However, when attackers can combine a remote browser-busting bug with a local kernel-busting hole, they can sidestep the App Store problem entirely.