Apple urgently released iOS and iPadOS 16.4.1 and macOS Ventura 13.3.1 updates last Friday to fix two zero-day vulnerabilities that have been abused.

According to Apple’s security bulletin, the vulnerabilities patched this time are CVE-2023-28205 and CVE-2023-28206. CVE-2023-28206 is an out-of-bounds write vulnerability in iOS SurfaceAccelerator that could allow malicious applications to execute arbitrary code with kernel privileges.

CVE-2023-28205 is located in WebKit, which is a use after free vulnerability. Attackers can set up malicious webpages and guide iOS device users to access them, causing malicious code to execute on the device.

Both vulnerabilities were discovered and reported by Donncha Ó Cearbhaill, a researcher from Google Threat Analysis Team and Amnesty International Security Lab. What’s more, Apple warns that both vulnerabilities have been abused.

Apple did not disclose the risk of the vulnerability, but the security vendor Tenable judged that both are major risk vulnerabilities.

Products affected by the 2 vulnerabilities include iPhone 8 and above, iPad Pro (all models), iPad Air 3 and above, iPad 5 and above, iPad mini 5 and above products, and macOS 13 Ventura. Older versions of iOS, iPad and macOS products do not yet have updated software available.

