CISA orders govt agencies to update iPhones, Macs by May 1st

The Cybersecurity and Infrastructure Security Agency (CISA) ordered federal agencies to patch two security vulnerabilities actively exploited in the wild to hack iPhones, Macs, and iPads.

According to a binding operational directive (BOD 22-01) issued in November 2022, Federal Civilian Executive Branch Agencies (FCEB) agencies are required to patch their systems against all security bugs added to CISA's Known Exploited Vulnerabilities catalog.

FCEB agencies now have to secure iOS, iPadOS, and macOS devices until May 1st, 2023, against two flaws addressed by Apple on Friday and added to CISA's list of bugs exploited in attacks on Monday.

The first bug (CVE-2023-28206) is an IOSurfaceAccelerator out-of-bounds write that could allow attackers to use maliciously crafted apps to execute arbitrary code with kernel privileges on targeted devices.

The second (CVE-2023-28205) is a WebKit use after free weakness that enables threat actors to execute malicious code on hacked iPhones, Macs, or iPads after tricking the targets into loading malicious web pages under attackers' control.

Apple addressed the two zero-days in iOS 16.4.1, iPadOS 16.4.1, macOS Ventura 13.3.1, and Safari 16.4.1 by improving input validation and memory management.

The company said the list of affected devices is quite extensive and it includes:

• iPhone 8 and later,
• iPad Pro (all models),
• iPad Air 3rd generation and later,
• iPad 5th generation and later,
• iPad mini 5th generation and later,
• and Macs running macOS Ventura.

The flaws were discovered by Google's Threat Analysis Group and Amnesty International's Security Lab while being exploited in attacks as part of an exploit chain.

Clément Lecigne from Google's Threat Analysis Group and Donncha Ó Cearbhaill from Amnesty International's Security Lab are the ones credited by Apple for reporting the bugs.

Both organizations frequently report government-sponsored threat actors' campaigns, in which zero-day vulnerabilities are exploited to install spyware on the devices of high-risk individuals, like politicians, journalists, and dissidents worldwide.

Google TAG and Amnesty International shared more info on other Android, iOS, and Chrome zero-day and n-day vulnerabilities abused in two recent campaigns to deploy commercial spyware.

Even though the vulnerabilities that have been added by CISA to its KEV catalog today were likely only exploited in highly targeted attacks, it is advised to patch them as soon as possible to prevent potential attacks.

Two months ago, Apple addressed another WebKit zero-day vulnerability (CVE-2023-23529) that was exploited to trigger OS crashes and gain code execution on vulnerable iPhones, iPads, and Macs.