No sooner had we written about vulnerabilities in both Apple and Microsoft operating systems, as well as in Samsung Exynos chips, allowing the hacking of smartphones without any action on the part of their owner, than news broke about a couple of very serious security holes in both iOS and macOS — besides the ones that attackers were already exploiting. The vulnerabilities are so critical that, to combat them, Apple rapidly released updates not only for the latest operating systems, but also for several previous versions. But let’s take it step by step…
Vulnerabilities in WebKit and IOSurfaceAccelerator
In total, two vulnerabilities were discovered. The first one — named CVE-2023-28205 (threat level: “high” [8.8/10]) — concerns the WebKit engine, which is the basis of the Safari browser (and not only that; more details below). The essence of this vulnerability is that, using a specially made malicious page, the bad guys can execute arbitrary code on a device.
The second vulnerability — CVE-2023-28206 (threat level “high” [8.6/10]) — was discovered in the IOSurfaceAccelerator object. Attackers can use it to execute code with operating system core permissions. Thus, these two vulnerabilities can be used in combination: the first serves to initially penetrate the device so that the second can be exploited. The second, in turn, allows you to “escape from the sandbox” and do almost anything with the infected device.
The vulnerabilities can be found in both macOS desktop operating systems and mobile ones: iOS, iPadOS and tvOS. Not only are the latest generations of these operating systems vulnerable, but previous ones are too, so Apple has released updates (one after the other) for a whole range of systems: macOS 11, 12 and 13, iOS/iPadOS 15 and 16, and also tvOS 16.
Why these vulnerabilities are dangerous
The WebKit engine is the only browser engine that’s allowed on Apple’s mobile operating systems. Whichever browser you use on your iPhone, WebKit will still be used to render web pages (so any browser on iOS is essentially Safari).
Moreover, the same engine is also used when web pages are opened from any other application. Sometimes it might not even look like a web page, but WebKit will still be involved in displaying it. That’s why it’s so important to promptly install any new updates related to Safari, even if you mainly use a different browser such as Google Chrome or Mozilla Firefox.
Vulnerabilities in WebKit, such as the one described above, make possible the so-called “zero-click” infection of an iPhone, iPad or Mac. That is, the device is infected without any active action by the user — it’s enough just to lure them to a specially made malicious site.
Often, such vulnerabilities are exploited in targeted attacks on powerful people or large organizations (although regular users can also get hit if they have the bad luck to land on an infected page). And it seems that something similar is happening in this case. As usual, Apple is not releasing any details, but by all accounts, the chain of vulnerabilities described above is already being actively used by unknown attackers to install spyware.
Moreover, since CVE-2023-28205 and CVE-2023-28206 have already become public knowledge and a proof of concept has already been published for the second vulnerability, it’s likely that other cybercriminals will start to exploit them too.
How to protect yourself against the described vulnerabilities
Of course, the best way to protect against CVE-2023-28205 and CVE-2023-28206 is to promptly install the new Apple updates. Here’s what you need to do, depending on the device in question:
- If you have one of the latest iOS, iPadOS or tvOS devices, then you should update the operating system to version 16.4.1.
- If you own an older iPhone or iPad that no longer supports the latest OS, then you must update to version 15.7.5.
- If your Mac is running the latest Ventura OS, then simply update to macOS 13.3.1.
- If your Mac is running macOS Big Sur or Monterey, you’ll need to update to macOS 11.7.6 or 12.6.5, respectively, and also install a separate update for Safari.
And of course, don’t forget to protect your Macs with reliable antivirus software that can protect you against new vulnerabilities that haven’t been fixed yet.