Apple today released iOS 16.4.1, iPadOS 16.4.1, and macOS 13.3.1 for the iPhone, iPad, and Mac, respectively, and we strongly recommend installing the updates on your devices as soon as possible, as all three updates include important fixes for vulnerabilities that have been exploited in the wild.
According to Apple’s security support documents for iOS and macOS, the updates include fixes for two separate vulnerabilities, both of which have been actively exploited in the wild.
iOS 16.4.1 and iPadOS 16.4.1
Released April 7, 2023
IOSurfaceAccelerator
Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
Impact: An app may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.
Description: An out-of-bounds write issue was addressed with improved input validation.
CVE-2023-28206: Clément Lecigne of Google’s Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International’s Security Lab
WebKit
Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
Description: A use after free issue was addressed with improved memory management.
WebKit Bugzilla: 254797
CVE-2023-28205: Clément Lecigne of Google’s Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International’s Security LabmacOS Ventura 13.3.1
Released April 7, 2023
IOSurfaceAccelerator
Available for: macOS Ventura
Impact: An app may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.
Description: An out-of-bounds write issue was addressed with improved input validation.
CVE-2023-28206: Clément Lecigne of Google’s Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International’s Security Lab
WebKit
Available for: macOS Ventura
Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
Description: A use after free issue was addressed with improved memory management.
WebKit Bugzilla: 254797
CVE-2023-28205: Clément Lecigne of Google’s Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International’s Security Lab
Google’s Threat Analysis Group and Amnesty International’s Security Lab are credited with finding and reporting the issues to Apple.
Apple has also today released a Safari 16.4.1 update for macOS Monterey and macOS Big Sur, which likely also addresses the WebKit security vulnerability.
(Via MacRumors)
