Apple has released emergency security updates to address two new zero-day vulnerabilities that have been exploited in attacks aimed at compromising iPhones, Macs and iPads.

“Apple is aware of a report that this issue may have been actively exploited,” the company said while describing the issues in security notice released on Friday.

The first security flaw (tracked as CVE-2023-28206) is an IOSurfaceAccelerator out of bounds writing it could result in data corruption, a crash, or code execution.

Successful exploitation allows attackers to use a maliciously crafted application to execute arbitrary code with kernel privileges on targeted devices.

The second zero-day (CVE-2023-28205) is a WebKit use after free weakness that allows data corruption or arbitrary code execution when reusing freed memory.

This flaw can be exploited by tricking targets into loading malicious web pages under attackers’ control, which could lead to code execution on compromised systems.

Both zero-day vulnerabilities have been addressed in iOS 16.4.1, iPadOS 16.4.1, macOS Ventura 13.3.1, and Safari 16.4.1 with improved input validation and memory management.

Apple says the list of affected devices is quite long and includes:

• iPhone 8 and later,
• iPad Pro (all models),
• iPad Air 3rd generation and later,
• iPad 5th generation and later,
• iPad mini 5th generation and later,
• and Macs running macOS Ventura.

Three zero-days patched since the beginning of the year

Although Apple says it is aware of reports of in-the-wild exploits, the company has yet to release information regarding these attacks.

However, he revealed that both flaws were reported by Clément Lecigne of Google’s Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International’s Security Lab.

Both organizations routinely disclose campaigns exploiting zero-day bugs exploited by government-sponsored threat actors to deploy commercial spyware to the smartphones and computers of politicians, journalists, dissidents and others to high risk worldwide.

Last week, Google TAG and Amnesty International unveiled two recent series of attacks using the zero-day and n-day exploit chains of Android, iOS and Chrome to deploy mercenary spyware.

While today’s zero-day patches were most likely only used in highly targeted attacks, it is highly recommended to install these emergency updates as soon as possible to block potential attack attempts .

In February, Apple has addressed another zero-day WebKit (CVE-2023-23529) exploited in attacks to trigger operating system crashes and achieve code execution on vulnerable iPhones, iPads, and Macs.