Article Details
Scrape Timestamp (UTC): 2023-10-12 16:45:07.872
Original Article Text
Click to Toggle View
Apple fixes iOS Kernel zero-day vulnerability on older iPhones. Apple has published security updates for older iPhones and iPads to backport patches released one week ago, addressing two zero-day vulnerabilities exploited in attacks. "Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.6," the company said in an advisory. The first zero-day (tracked as CVE-2023-42824) is a privilege escalation vulnerability caused by a weakness in the XNU kernel that can let local attackers elevate privileges on vulnerable iPhones and iPads. Apple has now also fixed the issue in iOS 16.7.1 and iPadOS 16.7.1 with improved checks, but it has yet to reveal who discovered and reported the flaw. The second one, a bug identified as CVE-2023-5217, is caused by a heap buffer overflow vulnerability within the VP8 encoding of the open-source libvpx video codec library. This flaw could let threat actors gain arbitrary code execution upon successful exploitation. Even though Apple did not confirm any instances of exploitation in the wild, Google previously patched the libvpx bug as a zero-day in its Chrome web browser. Microsoft also addressed the same vulnerability in its Edge, Teams, and Skype products. Google attributed the discovery of CVE-2023-5217 to security researcher Clément Lecigne, a member of Google's Threat Analysis Group (TAG), a team of security experts known for uncovering zero-days exploited in state-backed targeted spyware attacks aimed at high-risk individuals. The list of devices impacted by the two zero-day bugs is extensive, and it includes: CISA added the two vulnerabilities [1, 2] to its Known Exploited Vulnerabilities Catalog last week, ordering federal agencies to secure their devices against incoming attacks. Apple also recently addressed three zero-days (CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993) that researchers from Citizen Lab and Google TAG reported. Threat actors exploited them to deploy Cytrox's Predator spyware. Additionally, Citizen Lab found two other zero-day vulnerabilities (CVE-2023-41061 and CVE-2023-41064) that were fixed by Apple last month. These flaws were exploited as part of a zero-click exploit chain known as BLASTPASS and used to install NSO Group's Pegasus spyware on fully patched iPhones. Since the start of the year, Apple patched 18 zero-day vulnerabilities exploited in the wild to target iPhones and Macs, including:
Daily Brief Summary
Apple has released security updates for older versions of iPhones and iPads, addressing two zero-day vulnerabilities that have been exploited in attacks. The company has not revealed who reported these issues.
The first vulnerability (CVE-2023-42824) concerns a weakness in the XNU kernel leading to privilege escalation, potentially allowing attackers greater access to the victim's device. Apple has addressed this issue with improved checks in updated software versions.
The second bug (CVE-2023-5217) involves a heap buffer overflow vulnerability within the VP8 encoding of the libvpx video codec library, which could lead to arbitrary code execution. Google previously patched a similar issue in Chrome, while Microsoft took action for its Edge, Teams, and Skype products.
Google’s Threat Analysis Group, renowned for uncovering zero-day exploits in state-backed spyware attacks, credited security researcher Clément Lecigne with discovering CVE-2023-5217.
The list of devices affected by these vulnerabilities is wide-ranging, prompting the Cybersecurity and Infrastructure Security Agency (CISA) to update its Known Exploited Vulnerabilities Catalog and instruct federal agencies to defend their systems against these threats.
Earlier this year, Apple rectified 18 zero-day vulnerabilities that were being exploited to target iPhones and Macs, demonstrating the company's ongoing efforts to secure its platforms.