Apple warns of two zero-day vulnerabilities in iOS that hackers are actively exploiting, likely to hack iPhones.
The company today released patches for the previously unknown vulnerabilities that also affect macOS Ventura and partially target WebKit, the engine used in iOS browsers including Safari.
As usual, Apple revealed few details about the zero-day attacks. But the patch notes(Opens in a new window) say researchers from Google’s Threat Analysis Group and Amnesty International discovered the flaws, suggesting the hackers exploiting the flaws may have targeted human rights workers.
In a tweet(Opens in a new window), Amnesty International researcher Donncha Ó Cearbhaill confirmed that the vulnerabilities were found “in the wild” and can be chained together to exploit iOS devices.
Tweet(Opens in a new window)
The first bug, CVE-2023-28205, affects the Webkit browser engine. According to Apple, if the browser engine is fed “malicious web content” a hacker can cause Webkit to run deceptive computer code.
The second bug, CVE-2023-28206, affects IOSurfaceAccelerator(Opens in a new window), a more obscure iOS component. Exploiting this flaw can allow an app to execute malicious computer code as well, but with full privileges over the system’s software.
Therefore, it looks like a hacker could have exploited the zero-day vulnerabilities to hijack an iPhone. It’s possible that the attackers circulated phishing messages or websites that were compromised with maliciously crafted content.
Recommended by our editors
Apple has rolled out patches to protect iPhone 8 and newer devices, as well as corresponding iPads and Mac products. A fix has also been released for the Safari browser(Opens in a new window). On the Mac side, however, the company only released a patch for macOS Ventura, not for previous versions like Monterey or Big Sur. It remains unclear whether the zero-day bugs can ensnare these software versions.
To update your iPhone(Opens in a new window), go to Settings > General > Software Update. The device can also update automatically if you have automatic updates enabled. The patches will arrive via iOS 16.4.1 and iPadOS 16.4.1.
Mac users can update their hardware(Opens in a new window) by going to the Apple menu icon in the corner of the screen, selecting System Preferences, and selecting Software Update. The patch comes via macOS Ventura 13.3.1.
Do you like what you read?
Sign up for the SecurityWatch newsletter to get our top privacy and security stories delivered straight to your inbox.
This newsletter may contain advertisements, offers or affiliate links. By subscribing to a newsletter, you agree to our Terms of Use and Privacy Policy. You can unsubscribe from the newsletter at any time.
