Apple squashes iOS, macOS zero-day bugs already exploited by snoops

Apple rolled out patches on Good Friday to its iOS, iPadOS, and macOS operating systems and the Safari web browser to address vulnerabilities found by Google and Amnesty International that were exploited in the wild.

The fixes released on April 7 squash two security bugs – CVE-2023-28205 and CVE-2023-28206 – in Apple WebKit and IOSurfaceAcclerator, respectively. Snoops who successfully exploit both holes can execute arbitrary code with kernel privileges, enabling them to pretty much run any command or code they wish on the compromised device. That would allow them to steal data and spy on targets. All a victim would have to do is open some kind of maliciously crafted webpage on a vulnerable device.

The updates are to iOS 16.4.1, iPadOS 16.4.1, Safari 16.4.1, and macOS 13.3.1. Apple released iOS 16.4 and macOS 13.3 March 27.

The updates are available for a range of devices, from the iPhone 8 and later, all models of the iPad Pro, third-generation iPad Airs and later, and iPad and iPad Mini tablets that are fifth generation and later. If this seems familiar to you, in February Cupertino patched similar flaws in its operating systems.

Apple credited researchers Clément Lecigne of Google's Threat Analysis Group (TAG) and Donncha Ó Cearbhaill of Amnesty International's Security Lab with finding and reporting these latest holes.

• Apple patches all the iThings, including iOS 15 hole under attack right now
• US cybersecurity chief: Software makers shouldn't lawyer their way out of security responsibilities
• Google: Turn off Wi-Fi calling, VoLTE to protect your Android from Samsung hijack bugs
• Apple splats zero-day bug, other gremlins in macOS, iOS

Separate from the above, these fixes come after Google TAG and Amnesty International released reports on March 29 about two campaigns in which iOS and Android users had spyware slipped on their devices by some crew or other.

Amnesty's Security Lab late last year alerted Google to one of those campaigns – an effort by a "mercenary spyware company" to infect Android gear – leading to Google, Samsung, and other vendors releasing security updates that protected both Android and Linux users. Meanwhile, TAG detailed a campaign exploiting zero-days in both Android and iOS.

Amnesty didn't name the malware maker in its write-up, but said the infections indicated the "advanced spyware campaign" was "developed by a commercial cyber-surveillance company and sold to governments hackers to carry out targeted spyware attacks." The campaign has been active since at least 2020.

"While it is vital such vulnerabilities are fixed, this is merely a sticking plaster to a global spyware crisis," Cearbhaill said in a statement.

Amnesty International has called for a global moratorium on the development and sale of spyware, noting the high-profile abuses of the Pegasus spyware created by the NSO Group.

President Joe Biden in late March issued an executive order about the US government using such spyware, though it fell short of completely banning it. ®