More Zero-day Flaws: Apple Fixes Two New Vulnerabilities

Every now and then, tech companies release regular updates for customers to install and implement. Aside from being an upgrade, these patches help fix previous flaws and vulnerabilities within systems. Even the biggest organizations are susceptible to vulnerabilities, and those also include Apple.

Apple had its fair share of vulnerabilities back in 2022. However, even 2023 hasn’t been treating it very well so far, as the company did disclose a previous vulnerability a couple of months ago.

Now, two new flaws emerged, exploited in the wild, compromising iPhones, Macs, and iPads. What can threat actors do? What risks are at hand? Here’s what we know.

More Apple Flaws – And Then There Were Five

As we mentioned, 2023 hasn’t kicked off in the best way that Apple intended. Earlier this year, the company disclosed around three vulnerabilities that cybercriminals were taking advantage of.

Now, with these two in the open, we have a total of five vulnerabilities so far. In 2022, the number of vulnerabilities went all the way to nine.

According to Common Weakness Enumeration, the two vulnerabilities can be described as such:

• CVE-2023-28205:

The use of previously-freed memory can have any number of adverse consequences, ranging from the corruption of valid data to the execution of arbitrary code, depending on the instantiation and timing of the flaw.

The simplest way data corruption may occur involves the system’s reuse of the freed memory. Use-after-free errors have two common and sometimes overlapping causes:

• Error conditions and other exceptional circumstances.
• Confusion over which part of the program is responsible for freeing the memory.

All in all, threat actors can easily achieve arbitrary code execution, taking full control of the device in the process.

• CVE-2023-28206:

Typically, this can result in the corruption of data, a crash, or code execution. The product may modify an index or perform pointer arithmetic that references a memory location that is outside of the boundaries of the buffer. A subsequent write operation then produces undefined or unexpected results.

In general, exploiting this vulnerability allows an app to execute arbitrary code with kernel privileges.

Now that these vulnerabilities have been addressed, Apple released the necessary patches for iOS 16.4.1, iPadOS 16.4.1, macOS Ventura 13.3.1, and Safari 16.4.1.

New Zero-Day Flaws – Update Your Device Immediately

Threat actors are everywhere, waiting for the right moment to strike. Vulnerabilities reflect the perfect way to infiltrate devices, which is exactly what Google TAG has warned us about.

Apparently, commercial spyware vendors are targeting Android and iOS devices through security flaws to install surveillance malware.

If you have any of the devices mentioned above, it’s highly recommended you update them at once. Don’t postpone or ignore this – your data is at risk.