In order to address two actively exploited zero-day vulnerabilities discovered by Google’s Threat Analysis Group and Amnesty International’s Security Lab that also affect earlier iPhones, iPads, and Macs, Apple has published emergency updates to backport security patches that were announced on Friday. Apple stated in security advisories posted on Monday that it was “aware of a report that this problem may have been actively exploited.”
The first is an out-of-bounds write vulnerability in IOSurfaceAccelerator that allows threat actors to execute arbitrary code with kernel privileges on vulnerable devices via maliciously built apps (tracked as CVE-2023-28206).
The second zero-day (CVE-2023-28205) is a WebKit use-after-free vulnerability that allows threat actors to execute malicious code on infected iPhones, Macs, or iPads after tricking their victim into loading malicious web pages.
Apple fixed the zero-day vulnerabilities in iOS 15.7.5 and iPadOS 15.7.5, macOS Monterey 12.6.5, and macOS Big Sur 11.7.6 today by strengthening input validation and memory management.
According to Apple, the bugs have now been fixed on the following devices:
- iPhone 6s (all models)
- iPhone 7 (all models)
- iPhone SE (1st generation)
- iPad Air 2
- iPad mini (4th generation)
- iPod touch (7th generation)
- Macs running macOS Monterey
- Macs running macOS Big Sur
Due to the reports of active exploitation of these vulnerabilities, Binary Defense recommends that organizations apply the update as soon as possible. It is highly recommended that organizations restrict the installation of applications only to an approved list with clearly identified, trusted sources. Organizations should also install endpoint monitoring solutions and mobile device management (MDM) solutions in order to establish security controls regarding the installation of unauthorized and potentially malicious applications, which are often an attack vector utilized by threat groups. These technical controls on a Bring Your Own Device (BYOD) mobile device or laptop in conjunction with user cyber security training will assist in reducing the successes of malicious application attack vectors. In addition, in some cases organizations can create an allow list of trusted websites necessary for users’ business activities in order to restrict browsing to suspicious websites. This can be implemented via web proxy or next generation firewall solutions. To avoid drive-by attacks and other exploits on malicious websites, users should be trained only to utilize trusted websites directly from reputable sites, and not to click on links. Due to the proliferation of Business Email Compromise (BEC), even links from trusted contacts in email should be viewed cautiously.