Apr 11 2023

Apple Fixes Zero Day Vulnerability in iOS And MacOS

Category: Zero dayDISC @ 9:46 am

Apple Fixes Zero Day vulnerabilities for iOS And MacOS devices.

Apple recently released a security update for its iOS and MacOS devices, and fixing zero-day vulnerabilities that could allow cyber attackers to access users’ devices.

The iOS and iPadOS, version 15.7.5, addresses a vulnerability in the iOSurfaceAccelerator and WebKit engine that could allow an app and website to execute arbitrary code with kernel privileges processing maliciously.

Apple notes that this vulnerability has been actively exploited in the wild, making it especially important for users to update their devices as soon as possible.

Meanwhile, the MacOS update, including macOS Big Sur 11.7.6 and macOS Monterey 12.6.5, addressed with improved input validation.

macOS Big Sur 11.7.6

  • CVE-2023-28206

Impact: An app may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.
Description: An out-of-bounds write issue was addressed with improved input validation.

iOS 15.7.5 and iPadOS 15.7.5

  • CVE-2023-28206

IOSurfaceAccelerator

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)
Impact: An app may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.
Description: An out-of-bounds write issue was addressed with improved input validation.

WebKit

  • CVE-2023-28205

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)

Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Description: A use after free issue was addressed with improved memory management.

WebKit Bugzilla: 254797

macOS Monterey 12.6.5

  • CVE-2023-28206

Impact: An app may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.

Description: An out-of-bounds write issue was addressed with improved input validation.

Keeping your software up to date is one of the most important things you can do to maintain your Apple product’s security.

  • The latest version of iOS and iPadOS is 16.4.1.
  • The latest version of macOS is 13.3.1.
  • The latest version of tvOS is 16.4.
  • The latest version of watchOS is 9.4.

Note that after a software update is installed for iOS, iPadOS, tvOS, and watchOS, it cannot be downgraded to the previous version.

As always, Apple is urging all users to update their devices to the latest iOS and MacOS as soon as possible to ensure they are protected against these critical security vulnerabilities. Users can download the updates to the iOS device Settings app, and the Software Update section of the System Preferences app on their MacOS device.

Zero-Day Fixes macOS and iOS

The Art of Mac Malware: The Guide to Analyzing Malicious Software


InfoSec Threats
 | InfoSec books | InfoSec tools | InfoSec services

Tags: iOS, macOS Zero-Day


Nov 12 2021

macOS Zero-Day exploited in watering hole attacks on users in Hong Kong

Category: Security vulnerabilitiesDISC @ 9:54 am

Google TAG researchers discovered that threat actors leveraged a zero-day vulnerability in macOS in a watering hole campaign aimed at delivering malware to users in Hong Kong. The attackers exploited a XNU privilege escalation vulnerability (CVE-2021-30869) unpatched in macOS Catalina

The watering hole campaign targeted websites of a media outlet and important pro-democracy labor and political group. The researchers discovered that attackers deployed on the sites hosted two iframes that were used to serve iOS and macOS exploits to the visitors.

The experts believe that the attack was orchestrated by a nation-state actor, but did not attribute the campaign to a specific APT group.

The attack was discovered in late August, the nature of the targets and the level of sophistication of the attack suggests the involvement of a China-linked threat actor.

“To protect our users, TAG routinely hunts for 0-day vulnerabilities exploited in-the-wild. In late August 2021, TAG discovered watering hole attacks targeting visitors to Hong Kong websites for a media outlet and a prominent pro-democracy labor and political group. The watering hole served an XNU privilege escalation vulnerability (CVE-2021-30869) unpatched in macOS Catalina, which led to the installation of a previously unreported backdoor.” reads the analysis published by Google. “As is our policy, we quickly reported this 0-day to the vendor (Apple) and a patch was released to protect users from these attacks.”

HD. Alex Gibney directed this documentary about Stuxnet–a self-replicating computer malware that has opened a Pandora’s box of cyber-warfare.

Tags: macOS Zero-Day, Stuxnet, Zero day attack, zero-day