Apple has urgently rolled out security updates to address a recently discovered zero-day security flaw that was actively exploited in attacks targeting iPhone and iPad users. The company issued an advisory on Wednesday, acknowledging the issue’s existence and the potential exploitation of iOS versions preceding iOS 16.6.
The zero-day vulnerability, identified as CVE-2023-42824, stems from a weakness identified in the XNU kernel, which can enable local attackers to escalate their privileges on unpatched iPhones and iPads. Apple, in its statement, revealed that it has rectified this security issue with the release of iOS 17.0.3 and iPadOS 17.0.3. However, the company has not disclosed the identity of the individual or group who reported the flaw.
The list of affected devices is extensive and includes:
- iPhone XS and newer models
- iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later
- iPad Air 3rd generation and newer
- iPad 6th generation and newer
- iPad mini 5th generation and newer
In addition to CVE-2023-42824, Apple has also addressed another zero-day vulnerability identified as CVE-2023-5217. This vulnerability is associated with a heap buffer overflow weakness in the VP8 encoding of the open-source libvpx video codec library. Successful exploitation of this flaw could lead to arbitrary code execution.
Notably, Google had previously patched the libvpx bug in the Chrome web browser, and Microsoft had addressed it in its Edge, Teams, and Skype products.
CVE-2023-5217 was discovered by security researcher Clément Lecigne, who is a member of Google’s Threat Analysis Group (TAG). TAG is known for its expertise in identifying zero-days that are exploited in government-backed targeted spyware attacks against high-risk individuals.
This recent zero-day, CVE-2023-42824, marks the 17th vulnerability exploited in attacks that Apple has addressed since the beginning of this year. In addition to these recent fixes, Apple had also patched three other zero-day vulnerabilities (CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993), reported by researchers from Citizen Lab and Google TAG. These vulnerabilities had been exploited in spyware attacks to deploy Cytrox’s Predator spyware.
Citizen Lab had previously disclosed two additional zero-days (CVE-2023-41061 and CVE-2023-41064), which Apple addressed last month. These zero-days were part of a zero-click exploit chain known as BLASTPASS, used to infect fully patched iPhones with NSO Group’s Pegasus spyware.
In addition to addressing these security vulnerabilities, Apple’s iOS 17.0.3 release also tackles an existing issue causing iPhones running iOS 17.0.2 and earlier versions to overheat. The update is expected to provide important bug fixes, security updates, and resolve the overheating problem.
Apple users are strongly advised to promptly update their devices to the latest iOS and iPadOS versions to ensure protection against these critical vulnerabilities and to mitigate the risk of potential exploitation.
