Apple’s Emergency Security Update Targets Newly Discovered Zero-Day Vulnerabilities
October 4, 2023
Apple has released an immediate security update to resolve a new zero-day vulnerability that has been utilized in attacks against iPhone and iPad users. The company stated in a Wednesday advisory, "Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.6." The zero-day, designated as CVE-2023-42824, stems from a weakness identified in the XNU kernel, which can allow local attackers to increase their privileges on unpatched iPhones and iPads. Although Apple has implemented improved checks to address this security concern, the discoverer of the flaw remains undisclosed. The range of affected devices is notably extensive.
Apple also tackled another zero-day vulnerability, tracked as CVE-2023-5217, which arises from a heap buffer overflow weakness in the VP8 encoding of the open-source libvpx video codec library. This could potentially enable arbitrary code execution following successful exploitation. This libvpx bug was previously rectified by Google in the Chrome web browser and by Microsoft in its Edge, Teams, and Skype products. Clément Lecigne, a security researcher from Google's Threat Analysis Group (TAG), discovered CVE-2023-5217. TAG is a team of security experts frequently identifying zero-days exploited in government-sponsored targeted spyware attacks against high-risk individuals.
CVE-2023-42824 marks the 17th zero-day vulnerability that Apple has remedied since the beginning of the year. Apple recently fixed three other zero-day bugs (CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993) reported by Citizen Lab and Google TAG researchers, which were exploited in spyware attacks to install Cytrox's Predator spyware. Citizen Lab also revealed two additional zero-days (CVE-2023-41061 and CVE-2023-41064) that Apple corrected last month. These were exploited as part of a zero-click exploit chain, named BLASTPASS, to infect fully patched iPhones with NSO Group's Pegasus spyware.
Since January 2023, Apple has addressed a total of 17 zero-days exploited to target iPhones and Macs.
Related News
- Microsoft Patches Zero-Day Vulnerabilities in Edge, Teams, and Skype
- Israeli Spyware Vendor Intellexa Exploits Rare iOS and Chrome Zero-Days to Target Egyptian Entities
- Google Addresses Fifth Actively Exploited Chrome Zero-Day of 2023
- Apple's macOS 14 Sonoma Addresses Over 60 Security Issues
- Google Reclassifies libwebp Bug Exploited in Attacks
Latest News
- Critical Zero-Day Vulnerability in Atlassian's Confluence Software Patched Amidst Exploitation
- Cisco Addresses Critical Security Flaw in Emergency Responder
- Major Linux Distributions Vulnerable to Severe glibc Privilege Escalation Flaw
- Google's October 2023 Security Update for Android Fixes Actively Exploited Zero-days
- Critical Security Flaws Discovered in PyTorch Models: Remote Code Execution Possible
Like what you see?
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.