Apple’s Emergency Security Update Targets Newly Discovered Zero-Day Vulnerabilities

October 4, 2023

Apple has released an immediate security update to resolve a new zero-day vulnerability that has been utilized in attacks against iPhone and iPad users. The company stated in a Wednesday advisory, "Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.6." The zero-day, designated as CVE-2023-42824, stems from a weakness identified in the XNU kernel, which can allow local attackers to increase their privileges on unpatched iPhones and iPads. Although Apple has implemented improved checks to address this security concern, the discoverer of the flaw remains undisclosed. The range of affected devices is notably extensive.

Apple also tackled another zero-day vulnerability, tracked as CVE-2023-5217, which arises from a heap buffer overflow weakness in the VP8 encoding of the open-source libvpx video codec library. This could potentially enable arbitrary code execution following successful exploitation. This libvpx bug was previously rectified by Google in the Chrome web browser and by Microsoft in its Edge, Teams, and Skype products. Clément Lecigne, a security researcher from Google's Threat Analysis Group (TAG), discovered CVE-2023-5217. TAG is a team of security experts frequently identifying zero-days exploited in government-sponsored targeted spyware attacks against high-risk individuals.

CVE-2023-42824 marks the 17th zero-day vulnerability that Apple has remedied since the beginning of the year. Apple recently fixed three other zero-day bugs (CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993) reported by Citizen Lab and Google TAG researchers, which were exploited in spyware attacks to install Cytrox's Predator spyware. Citizen Lab also revealed two additional zero-days (CVE-2023-41061 and CVE-2023-41064) that Apple corrected last month. These were exploited as part of a zero-click exploit chain, named BLASTPASS, to infect fully patched iPhones with NSO Group's Pegasus spyware.

Since January 2023, Apple has addressed a total of 17 zero-days exploited to target iPhones and Macs.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.