Apple Issues Urgent Update to Fix Actively Exploited iOS Zero-Days

Cupertino, California – Apple has urgently released a major security update to address two zero-day vulnerabilities that were already being exploited in the wild. The company announced the rollout of the iOS 16.4.1 and iPadOS 16.4.1 updates, which include fixes for software flaws that could have exposed iPhone and iPad users to arbitrary code execution attacks.

The vulnerabilities in question pertain to the IOSurfaceAccelerator and WebKit components of Apple’s software. The IOSurfaceAccelerator flaw, identified as CVE-2023-28205, was described as an out-of-bounds write issue that was resolved with improved input validation. The WebKit bug, known as CVE-2023-28206, had already been exploited via web content to execute arbitrary code with kernel privileges. Apple addressed this issue with enhanced memory management.

According to Apple’s advisory, the company was aware of reports indicating that the vulnerabilities might have been actively exploited. Google and Amnesty International were credited with reporting the issues to Apple.

Furthermore, Apple did not specify whether the newly discovered exploits were capable of bypassing the Lockdown Mode feature, a security measure designed to deter similar types of attacks.

The release of the iOS patch coincides with reports from Google that commercial spyware vendors have been exploiting zero-day vulnerabilities to infect mobile devices with surveillance malware. In one of the campaigns described by Google, attackers sent a link to targeted users via SMS. Upon clicking the link, victims were redirected to malicious websites that delivered Android or iOS exploits, depending on the victim’s device. After the exploits were delivered, victims were redirected to legitimate websites, likely as a tactic to avoid raising suspicion.

The iOS exploit chain also targeted a previous WebKit vulnerability (CVE-2022-42856) that Apple had patched in December 2022. Additionally, the attacks involved a Pointer Authentication (PAC) bypass technique and an exploit for CVE-2021-30900, a sandbox escape and privilege escalation vulnerability that Apple patched in 2021.

As of this year, there have been at least 24 documented zero-day vulnerabilities exploited in the wild before their discovery.

Apple encourages all iPhone and iPad users to update their devices to the latest iOS and iPadOS versions to protect against potential security threats.