Apple is warning about two zero days that are being actively exploited in iOS, macOS, and Safari.
The two vulnerabilities are in separate components, one in the IOSurfaceAccelerator (CVE-2023-28206) and the other in the WebKit framework (CVE-2023-28205). Both of the flaws were discovered by Clément Lecigne of the Google Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty INternational.
The vulnerability in IOSurfaceAccelerator is an out-of-bounds write and an attacker who can exploit it can use a malicious app to get arbitrary code execution with kernel privileges. The WebKit bug is a use-after-free that can also lead to arbitrary code execution if a vulnerable device processes malicious web content.
The vulnerabilities are patched in iOS 16.4.1 and macOS Ventura 13.3.1. Safari 16.4.1 includes a patch for the WebKit bug. The browser isn’t vulnerable to the IOSurfaceAccelerator flaw, however.
In late March, Google TAG and Amnesty International disclosed a pair of attack campaigns that were using iOS and Android zero day exploit chains to target victims in several countries and install commercial spyware. Those iOS vulnerabilities have already been patched, and the ones Apple fixed in these new releases are separate issues.