CVE-2023-28205

CVE-2023-28205 is a critical risk vulnerability that originated from a missing fix in WebKit #VU74604. This flaw in software design or implementation allowed attackers to take over the browser app of targeted devices remotely, leading to potential data corruption or arbitrary code execution when reusing freed memory. The vulnerability was particularly dangerous as it could be exploited simply by visiting a web page, making iPhones, Macs, and iPads susceptible to attack. In April 2023, Apple released updates to address two bugs, CVE-2023-28205 and CVE-2023-28206, both of which enabled code execution with elevated privileges. However, the initial bug (CVE-2023-28205) was found to be still exploitable, leading to further security concerns. It wasn't until the release of iOS 16, iPadOS 16, and macOS 13 Ventura that simultaneous updates were issued to patch these vulnerabilities, securing devices against drive-by installs exploiting the WebKit bug and device takeover attacks exploiting the kernel vulnerability. Following Apple's patch release, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) ordered all U.S. government agencies to update their iOS, iPadOS, and macOS devices within a day. This directive was issued after detecting attacks exploiting these vulnerabilities. The first vulnerability (CVE-2023-28206) was an Out-of-bounds write on IOSurfaceAccelerator, allowing attackers to create apps that run commands at the kernel level on the target machine. The second vulnerability (CVE-2023-28205), a Use-after-free flaw on WebKit, enabled attackers to run commands on iPhone, Mac, and iPad devices merely through a web page.