Apple releases zero-day bug fix for iOS 15 for older iPhones again

Apple has released a version of iOS 15 for older iPhones that fixes two vulnerabilities that were exploited. The details are missing, but it is the second time in a short time that the company has released such an update. iPadOS has also been fixed.

It concerns iOS and iPadOS 15.7.5. In that update for the mobile operating systems only fixes two vulnerabilities. Both were abused in practice, Apple writes, but as usual, the company does not provide details. Both bugs were reported by researchers from Google’s Threat Analysis Group and a security researcher from Amnesty International. Especially the latter is interesting; it may indicate that malware was being distributed against human rights activists, for example, although that is speculation.

The two bugs are CVE-2023-28205 and CVE-2023-28206. The first is a bug in WebKit, Safari’s engine. This made it possible to execute code via a phishing website by abusing a use after free via a bug in the memory. The second is an out-of-bounds write bug in IOSurfaceAccelerator. This made it possible for an app to execute code at the kernel level.

The bugs have been fixed for phones that cannot get the update to the newer iOS 16. These are the iPhone 6s, iPhone 7 and iPhone SE. For the iPad, the iPad Air 2 and iPad mini have been fixed, as has the iPod Touch. Additionally, the bug has been fixed in iOS 16.4.1 and in macOS versions Monterey, Big Sur 11.7.6, and Ventura 13.3.1.

It is the second time in a short time that Apple has released such a security update for older models of the iPhone and iPad. iOS and iPadOS 15.7.4 were released at the end of March, in which several vulnerabilities, including a zero-day, were also fixed.