Note. Users of older Macs, iPhones and iPads that don’t feature in the update list below can now fetch patches against both the bugs described here. See our follow-up article for full details, including Apple security bulletin links. [Updated 2023-045-10T20:40:00Z.]
Apple just issued a short, sharp series of security fixes for Macs, iPhones and iPads.
All supported macOS versions (Big Sur, Monterey and Ventura) have patches you need to install, but only the iOS 16 and iPadOS 16 mobile versions currently have updates available.
As ever, we can’t yet tell you whether iOS 15 and iPadOS 15 users with older devices are immune and therefore don’t need a patch, are at risk and will get a patch in the next few days, or are potentially vulnerable but are going to be left out in the cold.
Two different bugs are addressed in these updates; importantly, both vulnerabilities are described not only as leading to “arbitrary code execution”, but also as “actively exploited”, making them zero-day holes.
Hack your browser, then pwn the kernel
The bugs are:
- CVE-2023-28205: A security hole in WebKit, whereby merely visiting a booby-trapped website could give cybercriminals control over your browser, or indeed any app that uses WebKit to render and display HTML content. (WebKit is Apple’s web content display subsystem.) Many apps use WebKit to show you web page previews, display help text, or even just to generate a good-looking About screen. Apple’s own Safari browser uses WebKit, making it directly vulnerable to WebKit bugs. Additionally, Apple’s App Store rules mean that all browsers on iPhones and iPads must use WebKit, making this sort of bug a truly cross-browser problem for mobile Apple devices.
- CVE-2023-28206: A bug in Apple’s IOSurfaceAccelerator display code. This bug allows a booby-trapped local app to inject its own rogue code right into the operating system kernel itself. Kernel code execution bugs are inevitably much more serious than app-level bugs, because the kernel is responsible for managing the security of the entire system, including what permissions apps can acquire, and how freely apps can share files and data between themselves.
Ironically, kernel-level bugs that rely on a booby-trapped app are often not much use on their own against iPhone or iPad users, because Apple’s strict App Store “walled garden” rules make it hard for attackers to trick you installing a rogue app in the first place.
You can’t go off market and install apps from a secondary or unofficial source, even if you want to, so crooks would need to sneak their rogue app into the App Store first before they could attempt to talk you into installing it.
But when attackers can combine a remote browser-busting bug with a local kernel-busting hole, they can sidestep the App Store problem entirely.
That’s apparently the situation here, where the first bug (CVE-2023-28205) allows attackers to take over your phone’s browser app remotely…
…at which point, they have a booby-trapped app that they can use to exploit the second bug (CVE-2023-28206) to take over your entire device.
And remember that because all App Store apps with web display capabilities are required to use WebKit, the CVE-2023-28205 bug affects you even if you have installed a third-party browser to use instead of Safari.
Reported in the wild by activists
The worrying thing about both bugs is not only that they’re zero-day holes, meaning the attackers found them and were already using them before any patches were figured out, but also that they were reported by “Clément Lecigne of Google’s Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International’s Security Lab”.
Apple isn’t giving any more detail than that, but it’s not a big jump to assume that this bug was spotted by privacy and social justice activists at Amnesty, and investigated by incident response handlers at Google.
If so, we’re almost certainly talking about security holes that can be, and already have been, used for implanting spyware.
Even if this suggests a targeted attack, and thus that most of us are not likely to be at the receiving end of it, it nevertheless implies that these bugs work effectively in real life against unsuspecting victims.
Simply put, you should assume that these vulnerabilities represent a clear and present danger, and aren’t just proof-of-concept holes or theoretical risks.
What to do?
You may already have been offered the update by Apple; if you haven’t been, or you were offered it but turned it down for the time being, we suggest forcing an update check as soon as you can.
The updates up for grabs are:
- HT213722: Safari 16.4.1. This covers CVE-2023-28205 (the WebKit bug only) for Macs running Big Sur and Monterey. The patch isn’t packaged as a new version of the operating system itself, so your macOS version number won’t change.
- HT213721: macOS Ventura 13.3.1. This covers both bugs for the latest macOS release, and includes the Safari update that has been bundled separately for users of older Macs.
- HT213720: iOS 16.4.1 and iPadOS 16.4.1. This covers both bugs for iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later.
Note. Older Macs, iPhones and iPads (those running iOS 15, iPadOS 15, macOS 11 and macOS 12) can now be patched against both the bugs described above. See our follow-up article for full details, including Apple security bulletin links. [Updated 2023-045-10T20:40:00Z.]