CISA Directs Government Agencies to Update Apple Devices by May 1st

April 10, 2023

The Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to address two security vulnerabilities actively exploited in the wild to hack iPhones, Macs, and iPads. According to a binding operational directive (BOD 22-01) issued in November 2022, Federal Civilian Executive Branch Agencies (FCEB) are required to patch their systems against all security bugs added to CISA's Known Exploited Vulnerabilities catalog. FCEB agencies now have until May 1st, 2023, to secure iOS, iPadOS, and macOS devices against two flaws addressed by Apple on Friday and added to CISA's list of bugs exploited in attacks on Monday.

The first bug (CVE-2023-28206) is an IOSurfaceAccelerator out-of-bounds write that could allow attackers to use maliciously crafted apps to execute arbitrary code with kernel privileges on targeted devices. The second (CVE-2023-28205) is a WebKit use after free vulnerability that enables threat actors to execute malicious code on hacked iPhones, Macs, or iPads after tricking the targets into loading malicious web pages under attackers' control. Apple addressed the two zero-days in iOS 16.4.1, iPadOS 16.4.1, macOS Ventura 13.3.1, and Safari 16.4.1 by improving input validation and memory management. The company said the list of affected devices is quite extensive.

The flaws were discovered by Google's Threat Analysis Group and Amnesty International's Security Lab while being exploited in attacks as part of an exploit chain. Clément Lecigne from Google's Threat Analysis Group and Donncha Ó Cearbhaill from Amnesty International's Security Lab are the ones credited by Apple for reporting the bugs. Both organizations frequently report government-sponsored threat actors' campaigns, in which zero-day vulnerabilities are exploited to install spyware on the devices of high-risk individuals, like politicians, journalists, and dissidents worldwide. Google TAG and Amnesty International shared more information on other Android, iOS, and Chrome zero-day and n-day vulnerabilities abused in two recent campaigns to deploy commercial spyware.

Although the vulnerabilities added by CISA to its KEV catalog were likely only exploited in highly targeted attacks, it is advised to patch them as soon as possible to prevent potential attacks. Two months ago, Apple addressed another WebKit zero-day vulnerability (CVE-2023-23529) that was exploited to trigger OS crashes and gain code execution on vulnerable iPhones, iPads, and Macs.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.