The Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to patch two security vulnerabilities actively exploited in the wild to hack iPhones, Macs and iPads.

According to a Binding Operational Directive (BOD 22-01) released November 2022, Federal Civilian Executive Branch (FCEB) agencies are required to patch their systems against all security bugs added to CISA Catalog of known exploited vulnerabilities.

FCEB agencies must now secure iOS, iPadOS and macOS devices until May 1, 2023 against two flaws fixed by Apple Friday and added to CISA list of exploited bugs in attacks Monday.

The first bug (CVE-2023-28206) is an IOSurfaceAccelerator out-of-bounds write that could allow attackers to use maliciously crafted applications to execute arbitrary code with kernel privileges on targeted devices.

The second (CVE-2023-28205) is a use of WebKit after a gratuitous weakness that allows hackers to execute malicious code on hacked iPhones, Macs, or iPads after tricking targets into loading malicious web pages under control attackers.

Apple addressed the two zero-days in iOS 16.4.1, iPadOS 16.4.1, macOS Ventura 13.3.1, and Safari 16.4.1 by improving input validation and memory management.

The company said the list of affected devices is quite long and includes:

• iPhone 8 and later,
• iPad Pro (all models),
• iPad Air 3rd generation and later,
• iPad 5th generation and later,
• iPad mini 5th generation and later,
• and Macs running macOS Ventura.

The flaws were discovered by Google’s Threat Analysis Group and Amnesty International’s Security Lab as they were exploited in attacks as part of an exploit chain.

Clément Lecigne of Google’s Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International’s Security Lab are those credited by Apple for reporting the bugs.

Both organizations frequently report government-sponsored threat actor campaigns in which zero-day vulnerabilities are exploited to install spyware on the devices of high-risk individuals, such as politicians, journalists, and government officials. dissidents around the world.

Google TAG and Amnesty International have shared more information about other zero-day and n-day Android, iOS and Chrome vulnerabilities being exploited in two recent campaigns to deploy commercial spyware.

Even though the vulnerabilities that were added by CISA to its KEV catalog today were likely only exploited in highly targeted attacks, it is advisable to fix them as soon as possible to prevent potential attacks.

Two months ago, Apple addressed another WebKit zero-day vulnerability (CVE-2023-23529) that has been exploited to trigger operating system crashes and achieve code execution on vulnerable iPhones, iPads, and Macs.