Time to Patch: Apple Warns About iOS Zero-Day Likely Targeting iPhones
Apple is warning about a pair of zero-day vulnerabilities in iOS that hackers have been actively exploiting, probably to hack iPhones.
The company today released patches for the previously unknown vulnerabilities, which also affect macOS Ventura and partly target WebKit, the engine used across iOS browsers, including Safari.
Apple revealed few details about the zero-day attacks, as usual. But the patch notes(Opens in a new window) say researchers at Google’s Threat Analysis Group and Amnesty International discovered the flaws, which suggests the hackers exploiting the flaws may have been targeting human rights workers.
In a tweet(Opens in a new window), Amnesty International researcher Donncha Ó Cearbhaill confirmed the vulnerabilities were found “in the wild,” and can be chained together to exploit iOS devices.
The first flaw, CVE-2023-28205, involves the browser engine Webkit. Apple says a hacker can trigger Webkit to execute rogue computer code if the browser engine is fed “maliciously crafted web content.”
The second flaw, CVE-2023-28206, involves IOSurfaceAccelerator(Opens in a new window), a more obscure iOS component. Exploiting this flaw can allow an app to also execute rogue computer code, but with full privileges over the system’s software.
Hence, it looks like a hacker could have exploited the zero-day vulnerabilities to hijack an iPhone. It’s possible the attackers did so by circulating phishing messages or websites rigged with the malicious crafted content.
Apple has rolled out patches to protect iPhone 8 and later devices, along with applicable iPads and Mac products. A fix has also been released(Opens in a new window) for the Safari browser. But on the Mac side, the company only released a patch for
Read more on pcmag.com
