- 83/2023
- High
Apple has released security updates to address two zero-day vulnerabilities in macOS Ventura 13.3, and Safari 16.4.
The addressed vulnerabilities could allow the attacker to gain access by sending specially crafted web content or gain kernel privileges by a specially crafted application.
The actively exploited zero-day vulnerabilities:
- CVE-2023-28205 – A use after free issue in WebKit that could lead to arbitrary code execution when processing specially crafted web content.
- CVE-2023-28206 – An out-of-bounds write issue in IOSurfaceAccelerator that could enable an app to execute arbitrary code with kernel privileges.
Sample of the addressed vulnerabilities:
Apple macOS Ventura Privilege Escalation (CVE-2023-28206):
- CVSS: 7.8
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Consequences: Gain Privileges
Vulnerabilities
- CVE-2023-28205
- CVE-2023-28206
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.