Apple and Google have recently announced and patched zero-day vulnerabilities in their products respectively, and reports indicate that hackers have detected attacks using these vulnerabilities. The Hong Kong Computer Emergency Response Coordination Center (HKCERT) under the Hong Kong Productivity Council urged users to update immediately to block malicious attacks generated by the vulnerability.
The two zero-day vulnerabilities announced by Apple are CVE-2023-28205 and CVE-2023-28206, which target the WebKit components in the Safari browser and internal programs that manage hardware. Affected systems include versions prior to iOS 15.7.5, iOS 16.4.1, iPadOS 15.7.5, iPadOS 16.4.1, macOS Big Sur 11.7.6, macOS Monterey 12.6.5, and macOS Ventura 13.3.1.
Hackers only need to send phishing messages to trick users into browsing malicious websites or installing malicious applications to trigger the vulnerability to invade the system. The vulnerability CVE-2023-28206 can even allow hackers to execute arbitrary code with system kernel privileges. After success, they can control all resources in the system, including installing unauthenticated applications behind the system and accessing all data on the device.
As for the zero-day vulnerability announced and patched by Google, it is aimed at Google Chrome, which can seriously cause the browser to crash or execute arbitrary code. Because Microsoft Edge runs on the Google Chromium browser engine, it is also affected by the above vulnerability. Affected versions of Google Chrome and Microsoft Edge include versions earlier than 112.0.5615.121 and 112.0.1722.48, respectively.
The aforementioned zero-day vulnerability, identified as CVE-2023-2033, targets a type confusion error thrown in the V8 JavaScript engine within Google Chrome. Hackers only need to send phishing messages to trick users into browsing maliciously constructed HTML pages to trigger vulnerabilities to invade the system. The vulnerability CVE-2023-2033 can even allow hackers to execute arbitrary code with system kernel privileges. After successful execution, arbitrary code can be executed in the system to carry out malicious attacks.
HKCERT appeals to users of the above-mentioned devices to update as soon as possible, and reminds everyone to keep the operating systems and applications of all mobile devices or computers up to date, and only download programs from official application stores. Mobile device users should also install reliable antivirus applications to detect known malicious programs and malicious websites, and set device password locks or screen locks to ensure that when the device is stolen or lost, the data will not be easily stolen by others .
Related article:[For Chromium products]Browser extension Rilide bypasses 2FA to steal cryptocurrency