Apple released emergency security updates to fix two iOS zero-day vulnerabilities that were exploited in attacks on iPhones.
"Apple is aware of a report that this issue may have been exploited," the company said in an advisory issued on Tuesday.
The two bugs were found in the iOS Kernel (CVE-2024-23225) and RTKit (CVE-2024-23296), both allowing attackers with arbitrary kernel read and write capabilities to bypass kernel memory protections.
The company says it addressed the security flaws for devices running iOS 17.4, iPadOS 17.4, iOS 16.76, and iPad 16.7.6 with improved input validation.
The list of impacted Apple devices is quite extensive, and it includes:
- iPhone XS and later, iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation
- iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later
Apple has not shared who disclosed both zero-days or if they were discovered internally.
While Apple has not released information regarding ongoing exploitation in the wild, iOS zero-day vulnerabilities are commonly used in state-sponsored spyware attacks against high-risk individuals, such as journalists, opposition politicians, and dissidents.
While these zero-day vulnerabilities were likely only used in targeted attacks, installing today's security updates as soon as possible is highly advised to block potential attack attempts.
With these two vulnerabilities, Apple has fixed three zero-days so far in 2024, with the first in January.
Last year, the company fixed a total of 20 zero-day flaws exploited in the wild, including:
- two zero-days (CVE-2023-42916 and CVE-2023-42917) in November
- two zero-days (CVE-2023-42824 and CVE-2023-5217) in October
- five zero-days (CVE-2023-41061, CVE-2023-41064, CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993) in September
- two zero-days (CVE-2023-37450 and CVE-2023-38606) in July
- three zero-days (CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439) in June
- three more zero-days (CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373) in May
- two zero-days (CVE-2023-28206 and CVE-2023-28205) in April
- and another WebKit zero-day (CVE-2023-23529) in February