The US government has instructed its workers to update their iPhones, Mac computers, and iPads by May 1. This measure is to protect their Apple devices from potential compromise.

BleepingComputer recently reported that the Cybersecurity and Infrastructure Agency (CISA) has ordered federal agencies to apply a patch fixing CVE-2023-28206 and CVE-2023-28205, as these flaws are allegedly being actively exploited in the wild by threat actors to gain full access to target devices. Apple has acknowledged the issue in an advisory published along with the fixes.

Apple devices at risk

The first vulnerability is an IOSurface out-of-bounds write issue that allows threat actors to corrupt data, crash apps and devices, and remotely execute code. In the worst-case scenario, a malicious app could allow an attacker to execute arbitrary code with kernel privileges on the device. The second vulnerability involves WebKit and has similar consequences: data corruption and arbitrary code execution through a victim’s visit to a malicious website, resulting in remote code execution.

To address these flaws, Apple released iOS 16.4.1, iPadOS 16.4.1, macOS Ventura 13.3.1, and Safari 16.4.1. Users concerned about these vulnerabilities should update their systems to the latest version as soon as possible.

The US government has urged its workers to update their iPhones by May 1, along with their Mac computers and iPads. This measure aims to protect their Apple devices from potential compromise.

Apple confirmed that threat actors have exploited the zero-days in the wild but did not provide further details. Media speculation suggests that state-sponsored attackers might be involved, as the researchers who discovered the flaws typically focus on government-sponsored actors. Clément Lecigne from Google’s Threat Analysis Group and Donncha Ó Cearbhaill from Amnesty International’s Security Lab were the researchers who found these vulnerabilities. Reportedly, the flaws were used as part of an exploit chain.