Apple released iOS 16.4.1 on April 7, about two weeks after the firm released its previous update to the operating system. The update was deployed to fix vulnerabilities that could be actively exploited.
While the tech giant didn’t offer many details about the fixes, it said that the bugs, tracked as CVE-2023-28205 and CVE-2023-28206, were fixed in its latest update, according to an Apple support page.
“For our customers’ protection, Apple doesn’t disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page,” Apple states on its website.
Security firm Sophos, in describing the fix as an “emergency patch,” said that CVE-2023-28205 is a “hole in Webkit,” or the engine of the Safari browser, that can allow a compromised website to “give cybercriminals control over your browser, or indeed any app that uses WebKit to render and display HTML content.” A number of apps and browsers—not just Safari—use WebKit.
“Apple’s own Safari browser uses WebKit, making it directly vulnerable to WebKit bugs,” it said. “Additionally, Apple’s App Store rules mean that all browsers on iPhones and iPads must use WebKit, making this sort of bug a truly cross-browser problem for mobile Apple devices.”
The second bug, CVE-2023-28206, involves a security hole in IOSurfaceAccelerator that can allow an app to execute code with kernel privileges, meaning an attacker can target the core of the code in iOS if it isn’t patched.
“This bug allows a booby-trapped local app to inject its own rogue code right into the operating system kernel itself. Kernel code execution bugs are inevitably much more serious than app-level bugs, because the kernel is responsible for managing the security of the entire system, including what permissions apps can acquire, and how freely apps can share files and data between themselves,” Sophos wrote.
In each of the two cases, Apple stated on its website that it was “aware of a report that this issue may have been actively exploited.” Users should update their iPhones, iPads, MacBooks, and other Apple devices that use iOS 16.4 as soon as possible, Sophos and other security researchers say.
Consumers can manually update to the latest version on their iPhones or iPads by going to Settings, General, and Software Update. Then, they should click Download and Install, follow the prompts, and wait for the phone to restart.
On Mac laptops and desktop computers, it’s similar. Users can open the Apple menu and choose System Settings before going to General and then clicking on Software Update.
Read the full story here.
Scroll down to leave a comment and share your thoughts.