Apple has released an immediate security update to resolve a new zero-day vulnerability that has been utilized in attacks against iPhone and iPad users. The company stated in a Wednesday advisory, "Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.6." The zero-day, designated as CVE-2023-42824, stems from a weakness identified in the XNU kernel, which can allow local attackers to increase their privileges on unpatched iPhones and iPads. Although Apple has implemented improved checks to address this security concern, the discoverer of the flaw remains undisclosed. The range of affected devices is notably extensive.
Apple also tackled another zero-day vulnerability, tracked as CVE-2023-5217, which arises from a heap buffer overflow weakness in the VP8 encoding of the open-source libvpx video codec library. This could potentially enable arbitrary code execution following successful exploitation. This libvpx bug was previously rectified by Google in the Chrome web browser and by Microsoft in its Edge, Teams, and Skype products. Clément Lecigne, a security researcher from Google's Threat Analysis Group (TAG), discovered CVE-2023-5217. TAG is a team of security experts frequently identifying zero-days exploited in government-sponsored targeted spyware attacks against high-risk individuals.
CVE-2023-42824 marks the 17th zero-day vulnerability that Apple has remedied since the beginning of the year. Apple recently fixed three other zero-day bugs (CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993) reported by Citizen Lab and Google TAG researchers, which were exploited in spyware attacks to install Cytrox's Predator spyware. Citizen Lab also revealed two additional zero-days (CVE-2023-41061 and CVE-2023-41064) that Apple corrected last month. These were exploited as part of a zero-click exploit chain, named BLASTPASS, to infect fully patched iPhones with NSO Group's Pegasus spyware.
Since January 2023, Apple has addressed a total of 17 zero-days exploited to target iPhones and Macs.