How to Protect Your Apple Devices From The Two 0-Day ACE Vulnerabilities in iOS, iPadOS, macOS, and Safari Web Browser?

On 7th Apr, tech giant Apple rolled out security updates for their iOS, iPadOS, macOS, and Safari web browser platforms to protect your Apple devices from the two 0-day ACE vulnerabilities in iOS, iPadOS, macOS, and Safari web browsers. According to Google’s Threat Analysis Group (TAG), both ACE vulnerabilities are due to an out-of-bounds write and use after free issue exists in IOSurfaceAccelerator and WebKit in iOS, iPadOS, macOS, and Safari web browsers. These flaws let attackers execute arbitrary code with kernel privileges on vulnerable products using specially crafted web content. Apple didn’t disclose the technical details of the flaws to avoid the exploitation of the vulnerabilities. Let’s explore what Apple has shared about the two 0-Day ACE vulnerabilities in this post.

A Short Introduction About Webkit Browser Engine and IOSurfaceAccelerator

WebKit and IOSurfaceAccelerator are two key technologies that work behind the scenes to deliver an optimal browsing experience and seamless graphics performance on Apple devices. While WebKit focuses on rendering web content, IOSurfaceAccelerator ensures efficient handling of graphics resources, making them indispensable components of the Apple ecosystem.

WebKit is an open-source web browser engine that powers some of the most popular browsers, including Apple’s Safari and earlier versions of Google Chrome. Developed primarily by Apple, WebKit serves as the foundation for rendering web content and interpreting HTML, CSS, and JavaScript code to display web pages accurately and efficiently. Known for its speed and performance, WebKit has been instrumental in shaping modern web standards and pushing the boundaries of web-based technologies.

IOSurfaceAccelerator, on the other hand, is a critical component of Apple’s graphics rendering pipeline. It is responsible for effectively managing and sharing graphic surfaces between various applications and system processes. By utilizing hardware acceleration, IOSurfaceAccelerator optimizes the performance of graphic-intensive tasks, such as video processing and 3D rendering, while minimizing the CPU load. As a vital element of Apple’s iOS and macOS platforms, it plays an essential role in providing a smooth and responsive user experience across different Apple devices.

Summary of CVE-2023-28205 and CVE-2023-28206

CVE-2023-28205

The vulnerability, which is tracking under CVE-2023-28205, is a 0-Day use-after-free issue in iOS, iPadOS, macOS, tvOS, and Safari web browsers. The flaw is stemmed from the WebKit browser engine, an open-source project that works to provide better web standards compliance and performance in leading web browsers such as Safari, Google Chrome, Microsoft Edge, and Firefox.

According to Clément Lecigne from Google’s Threat Analysis Group (TAG), the flaw lets attackers perform arbitrary code execution on vulnerable products using specially crafted web content. Apple also wrote that it is aware of a report that this issue could have been actively exploited against versions of iOS released older than iOS 16.4.1, iPadOS 16.4.1, macOS Ventura 13.3.1, and Safari 16.4.1. So, It’s worth noting how to protect your Apple devices from the two 0-Day ACE vulnerabilities in iOS, iPadOS, macOS, tvOS, and Safari Web Browser.

CVE-2023-28206

The vulnerability, which is tracking under CVE-2023-28206, is a 0-Day out-of-bounds write issue in iOS, iPadOS, macOS, tvOS, and Safari web browsers. The flaw is stemmed from the IOSurfaceAccelerator, a critical graphics component in Apple’s Safari, Google Chrome, Microsoft Edge, and Firefox.

According to Clément Lecigne from Google’s Threat Analysis Group (TAG), the flaw lets attackers perform arbitrary code execution on vulnerable products using specially crafted web content. Apple also wrote that it is aware of a report that this issue could have been actively exploited against versions of iOS released older than iOS 16.4.1, iPadOS 16.4.1, macOS Ventura 13.3.1, and Safari 16.4.1. So, It’s worth noting how to protect your Apple devices from the two 0-Day ACE vulnerabilities in iOS, iPadOS, macOS, tvOS, and Safari Web Browser.

Apple Products Vulnerable to CVE-2023-28205 and CVE-2023-28206

Apple users should be aware of two critical zero-day vulnerabilities, CVE-2023-28205 and CVE-2023-28206, that have been discovered and reported to affect various Apple products. These security flaws can lead to severe consequences if exploited, including arbitrary code execution and unauthorized access to kernel privileges.

CVE-2023-28205 is a use-after-free issue in the WebKit browser engine, which could allow an attacker to execute arbitrary code when processing specially crafted web content. The vulnerability affects Apple devices running the following software:

CVE-2023-28206 is an out-of-bounds write issue in the IOSurfaceAccelerator component. If exploited, this vulnerability could enable an app to execute arbitrary code with kernel privileges. The affected devices include:

How to Protect Your Apple Devices From Two 0-Day ACE Vulnerabilities in WebKitWebKit?

Apple released security updates in that it says it has released iOS 16.4.1, iPadOS 16.4.1 macOS Ventura 13.3.1, and Safari 16.4.1 to fix the flaw. We recommend all users of iPhones, iPad, and MacBooks should upgrade their OS to the latest release. Please visit the Apple security updates page to read information about all the recently released security updates.

Apple frequently releases security updates for its operating systems and applications, including iOS, iPadOS, macOS, and Safari web browsers. Always update your devices to the latest software versions to ensure you have the most recent security patches:

To check for updates on your devices, follow these steps:

It is good to adhere to these general guidelines to be protected from security issues.

We hope this post would help you know how to protect your Apple devices from the two 0-Day ACE vulnerabilities in iOS, iPadOS, macOS, and Safari Web Browsers. Please share this post if you find this interested. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr,  Medium and Instagram and subscribe to receive updates like this.