hands in surgical gloves stitching an apple

Apple releases emergency updates for two known-to-be-exploited vulnerabilities

On Friday April 7, 2023, Apple released iOS 16.4.1, iPadOS 16.4.1, and macOS 13.3.1 for the iPhone, iPad, and Mac, respectively, and our advice is to install them as soon as possible because all three updates include important security fixes.

The Cybersecurity and Infrastructure Security Agency (CISA) has already ordered federal agencies to patch these two security vulnerabilities before May 1st, 2023.

The updates may already have reached you in your regular update routines, but it doesn’t hurt to check if your device is at the latest update level. If a Safari update is available for your device, you can get it by updating or upgrading macOS, iOS, or iPadOS.

How to update your iPhone or iPad.

How to update macOS on Mac.

The vulnerabilities

The security content of iOS 16.4.1 and iPadOS 16.4.1 contains information about two vulnerabilities that Apple has been made aware of reports that these issue may have been actively exploited.

CVE-2023-28206: an out-of-bounds write issue in IOSurfaceAccelerator was addressed with improved input validation. The issue that could allow an app to execute arbitrary code with kernel privileges is fixed in iOS 15.7.5 and iPadOS 15.7.5, macOS Monterey 12.6.5, iOS 16.4.1 and iPadOS 16.4.1, macOS Big Sur 11.7.6, macOS Ventura 13.3.1.

IOSurfaceAccelerator is an object that manages hardware accelerated transfers/scales between IOSurfaces in the IOSurface framework. The IOSurface framework provides a framebuffer object suitable for sharing across process boundaries. It is commonly used to allow applications to move complex image decompression and draw logic into a separate process to enhance security.

An out-of-bounds write can occur when a program writes outside the bounds of an allocated area of memory, potentially leading to a crash or arbitrary code execution. This can happen when the size of the data written is larger than the size of the allocated memory area, when the data is written to an incorrect location within the memory area, or when the program incorrectly calculates the size or location of the data to be written. In this case an attacker can use it to elevate the privileges of a malicious app. For those interested, a proof-of-concept (PoC) has been published for this vulnerability.

CVE-2023-28205: a use after free (UAF) issue was addressed with improved memory management. This issue is fixed in iOS 15.7.5 and iPadOS 15.7.5, Safari 16.4.1, iOS 16.4.1 and iPadOS 16.4.1, macOS Ventura 13.3.1.

UAF is a type of vulnerability that is the result of the incorrect use of dynamic memory during a program’s operation. If, after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program. Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code. In this case, when the vulnerability is exploited, processing maliciously crafted web content may lead to arbitrary code execution.

WebKit is Apple’s web rendering engine. In other words, WebKit is the browser engine that powers Safari and other apps.

The security content of macOS Ventura 13.3.1 covers the same two vulnerabilities and Apple has also released a new Safari 16.4.1 update for macOS Monterey and macOS Big Sur, which likely addresses the WebKit vulnerability.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.



Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.