"Apple Ships Urgent iOS Patch for Newly Exploited Zero-Days"

Apple recently pushed out a major iOS security update to fix a pair of zero-day vulnerabilities already being exploited in the wild.  The newest iOS 16.4.1 and iPadOS 16.4.1 updates cover code execution software flaws in IOSurfaceAccelerator and WebKit.  Apple is aware of a report that this issue may have been actively exploited.  In an advisory document, Apple summarized two issues, CVE-2023-28205 and CVE-2023-28206, that expose iPhones and iPads to arbitrary code execution attacks.  Apple described the IOSurfaceAccelerator flaw as an out-of-bounds write issue that was addressed with improved input validation.  The WebKit bug, which has already been exploited via web content to execute arbitrary code with kernel privileges, has been fixed with improved memory management.  Apple did not say if the newly discovered exploits are capable of bypassing the Lockdown Mode feature which they shipped to deter these types of attacks.

SecurityWeek reports: "Apple Ships Urgent iOS Patch for Newly Exploited Zero-Days"