Apple released updates for two zero-day vulnerabilities that were used to attack iPhone, iPad and Mac devices.

“Apple is aware of a report that [these issues] may have been actively exploited,” the tech giant wrote in a security advisory published last Friday.

The first patched flaw (CVE-2023-28206) is an IOSurfaceAccelerator out-of-bounds write issue, potentially enabling an app to execute arbitrary code with kernel privileges. Apple said the issue was addressed with improved input validation.

“The IOSurfaceAccelerator framework is used by many iOS and MacOS applications that require high-performance graphics processing, such as video editors, games and augmented reality applications,” explained Krishna Vishnubhotla, vice president of product strategy at Zimperium.

“Since IOSurfaceAccelerator provides low-level access to graphics hardware resources, exploiting a vulnerability in the framework could give an attacker the ability to manipulate graphics resources, intercept or modify data, or even cause the device to crash.”

The second vulnerability (CVE-2023-28205) is a WebKit use-after-free flaw that allows data corruption or arbitrary code execution when reusing freed memory. Apple said it fixed the bug with improved memory management.

“WebKit is a core software component of macOS and iOS, responsible for rendering web pages and executing JavaScript code in the Safari web browser and other applications that use WebKit,” said Vishnubhotla.

“Exploiting a vulnerability in WebKit could allow attackers to take control of the device’s web browsing capabilities and steal sensitive user data, such as login credentials and other personal information. It could also allow attackers to inject malicious code into web pages or launch phishing attacks to trick users into revealing sensitive information.”

Read more on Apple zero-days here: Apple Fixes Actively Exploited iPhone Zero-Day Vulnerability

Both vulnerabilities affect macOS Ventura 13.3.1 and iOS and iPadOS 16.4.1 devices. Apple credited Clément Lecigne of Google’s Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International’s Security Lab for their discovery.

“Apple is responding quickly here, which is good, especially with evidence that these vulnerabilities are being exploited in the wild,” commented Mike Parkin, Senior Technical Engineer at Vulcan Cyber.

“It is interesting that Amnesty International’s Security Lab was one of the organizations involved in finding and reporting the issue. While Apple hasn’t said much about the exploits, it seems likely, given the reporting and earlier history, that the exploits were deployed by state-level threat actors.”

The Apple advisory comes days after Google warned Android users of commercial spyware vendors exploiting zero-day flaws on mobile devices.