Apple has recently rolled out emergency security updates to address a new zero-day vulnerability that was being exploited to target iPhone and iPad users. This comes in the wake of reports suggesting that the flaw might have been actively exploited in versions of iOS prior to iOS 16.6.
Key Highlights:
- The zero-day, labeled as CVE-2023-42824, stems from a vulnerability in the XNU kernel.
- This flaw allows local attackers to escalate privileges on unpatched iPhones and iPads.
- Apple has addressed this issue in iOS 17.03 and iPadOS 17.03.
- The list of affected devices includes iPhone XS and later, various iPad Pro models, iPad Air 3rd generation and later, and iPad mini 5th generation and later.
- Another zero-day, CVE-2023-5217, related to the open-source libvpx video codec library, was also addressed.
- This year, Apple has fixed a total of 17 zero-day vulnerabilities that were exploited in attacks.
Details on the Zero-Day Exploit:
The zero-day vulnerability, CVE-2023-42824, was identified as a weakness in the XNU kernel. This vulnerability allows local attackers to escalate their privileges on devices that haven’t been patched. Although Apple has taken measures to address this issue in its recent updates, the company has not disclosed the entity that reported this flaw.
Furthermore, Apple has also addressed another zero-day, CVE-2023-5217, which was caused by a heap buffer overflow in the VP8 encoding of the open-source libvpx video codec library. This could potentially allow attackers to execute arbitrary code. Notably, this particular bug had previously been patched by other tech giants like Google and Microsoft in their respective products.
A Year of Zero-Days:
It’s worth noting that CVE-2023-42824 is the 17th zero-day vulnerability that Apple has addressed since the beginning of the year. The company has been proactive in patching these vulnerabilities, some of which were reported by renowned entities like Citizen Lab and Google’s Threat Analysis Group (TAG). These vulnerabilities were exploited in various attacks, including those that aimed to install spyware on devices.
Summary:
Apple’s commitment to user security is evident in its swift response to emerging threats. The recent emergency update is a testament to this, as the company moved quickly to patch a new zero-day vulnerability that was being exploited to target iPhone and iPad users. With a total of 17 zero-day vulnerabilities addressed this year, Apple continues to prioritize the safety and security of its user base. Users are advised to keep their devices updated to the latest software versions to ensure maximum protection against potential threats.