Apple

Apple has published security updates for older iPhones and iPads to backport patches released one week ago, addressing two zero-day vulnerabilities exploited in attacks.

"Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.6," the company said in an advisory.

The first zero-day (tracked as CVE-2023-42824) is a privilege escalation vulnerability caused by a weakness in the XNU kernel that can let local attackers elevate privileges on vulnerable iPhones and iPads.

Apple has now also fixed the issue in iOS 16.7.1 and iPadOS 16.7.1 with improved checks, but it has yet to reveal who discovered and reported the flaw.

The second one, a bug identified as CVE-2023-5217, is caused by a heap buffer overflow vulnerability within the VP8 encoding of the open-source libvpx video codec library. This flaw could let threat actors gain arbitrary code execution upon successful exploitation.

Even though Apple did not confirm any instances of exploitation in the wild, Google previously patched the libvpx bug as a zero-day in its Chrome web browser. Microsoft also addressed the same vulnerability in its Edge, Teams, and Skype products.

Google attributed the discovery of CVE-2023-5217 to security researcher Clément Lecigne, a member of Google's Threat Analysis Group (TAG), a team of security experts known for uncovering zero-days exploited in state-backed targeted spyware attacks aimed at high-risk individuals.

The list of devices impacted by the two zero-day bugs is extensive, and it includes:

  • iPhone 8 and later
  • iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

CISA added the two vulnerabilities [12] to its Known Exploited Vulnerabilities Catalog last week, ordering federal agencies to secure their devices against incoming attacks.

Apple also recently addressed three zero-days (CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993) that researchers from Citizen Lab and Google TAG reported. Threat actors exploited them to deploy Cytrox's Predator spyware.

Additionally, Citizen Lab found two other zero-day vulnerabilities (CVE-2023-41061 and CVE-2023-41064) that were fixed by Apple last month. 

These flaws were exploited as part of a zero-click exploit chain known as BLASTPASS and used to install NSO Group's Pegasus spyware on fully patched iPhones.

Since the start of the year, Apple patched 18 zero-day vulnerabilities exploited in the wild to target iPhones and Macs, including:

Related Articles:

CISA warns of patched iPhone kernel bug now exploited in attacks

Apple fixes first zero-day bug exploited in attacks this year

Apple fixes two new iOS zero-days exploited in attacks on iPhones

iPhone apps abuse iOS push notifications to collect user data

iShutdown scripts can help detect iOS spyware on your iPhone