Apple has just started rolling out iOS 16.4.1, iPadOS 16.4.1, and macOS Ventura 13.3.1 for iPhone, iPad, and Mac users, respectively. It is highly recommended to update your device as soon as possible because all three updates address critical security vulnerabilities. These vulnerabilities could potentially be exploited by attackers to gain unauthorized access to your device, steal your data, or even install malware.
The update to iOS 16.4.1 and iPadOS 16.4.1 addresses issues related to Siri and emojis, as well as two actively exploited security vulnerabilities that were discovered recently. Meanwhile, the macOS 13.3.1 update comes with fixes for the Auto Unlock feature with Apple Watch and an issue that caused the pushing hands emoji not to show skin tone variations. It also includes important security updates that address two actively exploited vulnerabilities.
To ensure the security and stability of your devices, it is recommended to update to the latest versions of the operating systems as soon as possible. To do so, you can go to the Settings app on your iPhone or iPad, choose General, then choose Software Update. On your Mac, you can check for updates by going to System Preferences, then clicking on Software Update.
Shortly after releasing its latest software updates for iPhone and Mac, which included crucial bug fixes and security updates, Apple has now provided detailed information on the specific security flaws that were patched. It is noteworthy that Apple has mentioned these flaws were being exploited in the wild.
As per the information shared on its security updates page, Apple has fixed two flaws, which were the same for both iOS and macOS. Apple’s security support documents for iOS and macOS also confirm that the new software updates include fixes for two distinct vulnerabilities. Both of these vulnerabilities were already known to Apple, and they were being actively exploited.
The first vulnerability, IOSurfaceAccelerator, had the potential to allow an app to execute arbitrary code with kernel privileges. Apple has now fixed this out-of-bounds write issue by improving input validation. The second vulnerability was related to WebKit and could have allowed maliciously crafted web content to execute code. Apple has addressed this issue with improved memory management.
Google’s Threat Analysis Group and Amnesty International’s Security Lab have been given credit for detecting and reporting both of these vulnerabilities to Apple.
Here are the full details provided by Apple:
IOSurfaceAccelerator
Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
Impact: An app may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.
Description: An out-of-bounds write issue was addressed with improved input validation.
CVE-2023-28206: Clément Lecigne of Google’s Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International’s Security Lab
WebKit
Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
Description: A use after free issue was addressed with improved memory management.
WebKit Bugzilla: 254797
CVE-2023-28205: Clément Lecigne of Google’s Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International’s Security Lab
Source: Apple