Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

Apple's recent zero-days patch is now available for older devices

Apple logo on the side of a building

Apple has now backported a fix for two major zero-days - which are allegedly being exploited in the wild - to older devices. 

Now, all iPhone 6s models and newer, as well as many older iPad models, are protected from two vulnerabilities that were said to give threat actors full access to the vulnerable endpoints.

The two flaws are being tracked as CVE-2023-28206 and CVE-2023-28205. The first is an IOSurface out-of-bounds write vulnerability that allowed threat actors to corrupt data, crash apps and devices, and remotely execute code. Worst case scenario - a threat actor could push a malicious app allowing them to execute arbitrary code with kernel privileges on the target endpoint.

Older smartphones

The second is a WebKit with similar consequences - data corruption and arbitrary code execution. For the exploit, the aim is to trick victims into visiting a malicious website which results in remote code execution.

Now, besides iOS 16.4.1, iPadOS 16.4.1, macOS Ventura 13.3.1, and Safari 16.4.1 being safe from these bugs, updates have also made it to older devices sporting iOS 15.7.5 and iPadOS 15.7.5, macOS Monterey 12.6.5, and macOS Big Sur 11.7.6.

This means that the following devices are now covered: all iPhone 6s models, all iPhone7 models, first generation iPhone SE, iPod Air 2, 4th generation iPad mini, 7th generation iPod touch, and all Macs powered by macOS Monterey and Big Sur.

Apple did say it was aware of threat actors abusing the zero-days, but did not discuss the details. However, BleepingComputer speculates that the attackers might be state-sponsored, given the fact that the flaws were discovered by researchers usually hunting for government-sponsored players.

The researchers that found the flaws are Clément Lecigne of Google's Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International's Security Lab. The flaws were being used as part of an exploit chain, it was said.

Via: BleepingComputer

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.