On Wednesday, Apple issued emergency security updates to address two recently discovered zero-day vulnerabilities that have been exploited in cyberattacks.
In an advisory released on the same day, Apple acknowledged the possibility of these vulnerabilities being actively exploited in versions of iOS predating iOS 16.6.
The initial zero-day vulnerability (CVE-2023-42824) stems from a weakness identified within the XNU kernel, which permits local attackers to elevate privileges on iPhones and iPads that have not received the necessary patches.
Apple has addressed the security issue in iOS 17.0.3 and iPadOS 17.0.3, implementing enhanced security checks. However, the entity responsible for discovering and reporting the flaw remains undisclosed.
A wide range of devices have been affected, including:
iPhone XS and newer models
iPad Pro 12.9-inch 2nd generation and later
iPad Pro 10.5-inch
iPad Pro 11-inch 1st generation and later
iPad Air 3rd generation and later
iPad 6th generation and later
iPad mini 5th generation and later
Additionally, Apple has resolved another issue, identified as CVE-2023-5217, stemming from a heap buffer overflow weakness within the VP8 encoding of the open-source libvpx video codec library. Successful exploitation of this bug could result in arbitrary code execution. Although Apple did not confirm active exploitation in the wild, this libvpx bug had previously been patched as a zero-day by Google in the Chrome web browser and by Microsoft in products such as Edge, Teams, and Skype.
CVE-2023-42824 marks the 17th zero-day vulnerability exploited in attacks that Apple has addressed since the beginning of the year.
Apple recently patched three other zero-day vulnerabilities (CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993), which had been exploited in spyware attacks for the installation of Cytrox's Predator spyware.
There were also two additional zero-days (CVE-2023-41061 and CVE-2023-41064) that Apple fixed last month. These were utilised as part of a zero-click exploit chain, known as BLASTPASS, to infect fully patched iPhones with NSO Group's Pegasus spyware.
Since January 2023, Apple has taken action against a total of 18 zero-day vulnerabilities that were exploited to target iPhones and Macs. These include:
Two zero-days (CVE-2023-37450 and CVE-2023-38606) in July.
Three zero-days (CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439) in June.
An additional three zero-days (CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373) in May.
Two zero-days (CVE-2023-28206 and CVE-2023-28205) in April.
And another zero-day related to WebKit (CVE-2023-23529) in February.
The iOS 17.0.3 release launched today also tackles a known issue that was causing iPhones running iOS 17.0.2 and earlier versions to experience overheating.
Apple stated, "This update includes crucial bug fixes, security enhancements, and addresses a problem that could lead to iPhones running warmer than expected."
