Security flaws have been identified in iOS and macOS operating systems by Kaspersky, posing significant risks to users, including ones who hold digital assets in iOS wallets. One vulnerability allows cybercriminals to access confidential user data by intercepting network traffic, while another permits malware to evade Apple's security measures and gain root access.
Two distinct vulnerabilities have been detected. The first, dubbed CVE-2023-28205, relates to the WebKit engine, which underpins the Safari browser and other applications. This flaw enables attackers to execute arbitrary code on a device by directing users to a specially crafted malicious webpage.
The second vulnerability, CVE-2023-28206, is found in the IOSurfaceAccelerator object, which can be exploited by attackers to execute code with system kernel permissions. By combining these two vulnerabilities, cybercriminals can infiltrate a device and subsequently escape the security sandbox, giving them near-complete control over the infected device.
Both desktop macOS operating systems and mobile platforms, including iOS, iPadOS, and tvOS, are affected by these vulnerabilities. Apple has released updates for various systems, including macOS 11, 12 and 13, iOS/iPadOS 15 and 16, and tvOS 16, to address the flaws.
The WebKit engine is the exclusive browser engine allowed on Apple's mobile operating systems. Regardless of the browser utilized on an iPhone, WebKit remains responsible for rendering web pages, effectively making all iOS browsers akin to Safari.
Additionally, WebKit is employed when web pages are opened within other applications. Sometimes, even if it does not appear to be a web page, WebKit is still involved in displaying it. Consequently, it is crucial to install Safari-related updates promptly, even for users who primarily rely on alternative browsers like Google Chrome or Mozilla Firefox.
Denys Serhiichuk
Vladislav Sopov
Godfrey Benjamin