Apple operating systems have once again been discovered to include vulnerabilities of very high severity, and users have been advised not to put off installing the latest versions of iOS 16.4.1 and macOS 13.3.1, respectively.
Users have also been advised that the updates are also available for iOS 15 and macOS 11 and 12, according to a report by internet security solutions Kaspersky on April 17.
Based on the findings of the research, a total of two vulnerabilities were found. The first vulnerability, identified as CVE-2023-28205 and rated as “high” (or 8.8 out of 10) in severity, affects the WebKit engine, which serves as the foundation for the Safari web browser. The crux of this vulnerability is that malicious actors may run arbitrary code on a device if they access it via a website that they have created specifically for that purpose.
The IOSurfaceAccelerator object was found to have the second vulnerability, which was identified as CVE-2023-28206 and has a threat level of “high” (8.6/10). It is possible for attackers to utilize it to execute programs with core permissions of the operating system. As a result, attackers can gain root privileges, which may ‘compromise the security of users’ crypto assets,’ as per crypto journalist Colin Wu.
Super proud of our team at @AmnestyTech and everyone who helped in this investigation.
— Donncha Ó Cearbhaill (@DonnchaC) April 7, 2023
Today, Apple published an emergency update for all iPhones to patch an exploit chain which we, together with @_clem1 (Google TAG) discovered in the wild. pic.twitter.com/KLMYjqi3lK
Therefore, these two flaws may be exploited together to achieve a greater level of success: the first flaw is used first to breach the security of the device so that the second flaw can be used. The second vulnerability, on the other hand, grants the ability to “escape from the sandbox” and do almost any action with an infected device.
Where the vulnerabilities can be found
These flaws are present in mobile operating systems, including as iOS, iPadOS, and tvOS, in addition to the desktop operating system known as macOS.
Apple has provided updates (one after the other) for a broad variety of systems, including macOS 11, 12, and 13, iOS/iPadOS 15 and 16, and also tvOS 16, as a result of the fact that not only the most recent versions of these operating systems, but also earlier generations, are susceptible to vulnerabilities.
On Apple’s mobile operating systems, only the WebKit engine is supported. Web pages on the iPhone will be rendered by WebKit regardless of the browser you use (thus, any browser on iOS is effectively Safari).
In addition, the same engine is used whenever a web page is loaded in any program. WebKit will be used to show content even if it doesn’t appear like a web page. That’s why it’s critical to always keep Safari up-to-date, even if you primarily use a different browser like Chrome or Firefox.
Infection of an iOS device or Mac with a “zero-click” exploit is feasible due to vulnerabilities in WebKit like the one detailed above. Simply luring a person to a malicious website is enough to infect their device without requiring any action on their part.
