Apple Releases Patches for Two Zero-Days
On Friday, April 7, Apple released updates to address two actively-exploited vulnerabilities in iOS, iPadOS, macOS, and Safari. The IOSurfaceAccelerator out-of-bounds write vulnerability (CVE-2023-28206) could be exploited to execute code at the kernel level; the WebKit use-after-free vulnerability (CVE-2023-28205) could lead to code execution when processing maliciously crafted web content. On Monday, April 10, Apple released updates to backport the fixes to older versions of the affected operating systems. The US Cybersecurity and Infrastructure Security Agency (CISA) has added the Apple issues to its Known Exploited Vulnerabilities (KEV) catalog. Federal Civilian Executive Branch Agencies (FCEB) have until May 1 to update.
You probably saw the update Friday with the innocuous looking CVEs, impacting macOS 13, Safari, iOS and iPadOS. Since then, Apple released macOS 12.6.5 & 11.7.6 as well as iOS 15.5.7, which should be hitting your "this is a big deal" alert before you even heard about this being a Zero-Day or the addition to the KEV catalog. Hopefully you can just push the update to your ADE devices and turn your attention to your macOS updates.
Given that both these vulnerabilities lead to remote code execution, the best defense is to patch. The good news is that Apple provides for free, new versions of their operating system. This has the effect of Apple users updating their devices more frequently. As we look to envision ‘secure by design,’ one component will have to be an automated patch management process for users.
Read more in
Bleeping Computer: Apple fixes two zero-days exploited to hack iPhones and Macs
Bleeping Computer: CISA orders govt agencies to update iPhones, Macs by May 1st
Apple: Apple security updates