Jump to content
  • Apple emergency update fixes new zero-day used to hack iPhones and iPads


    Karlston

    • 704 views
    • 3 minutes
     Share


    • 704 views
    • 3 minutes

    Apple released emergency security updates to patch a new zero-day security flaw exploited in attacks targeting iPhone and iPad users.

     

    "Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.6," the company said in an advisory issued on Wednesday.

     

    The zero-day (CVE-2023-42824) is caused by a weakness discovered in the XNU kernel that enables local attackers to escalate privileges on unpatched iPhones and iPads.

     

    While Apple said it addressed the security issue with improved checks, it has yet to reveal who found and reported the flaw.

     

    The list of impacted devices is quite extensive, and it includes:

     

    • iPhone XS and later
    • iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later

     

    Apple also addressed a zero-day tracked as CVE-2023-5217 and caused by a heap buffer overflow weakness in the VP8 encoding of the open-source libvpx video codec library, which could allow arbitrary code execution following successful exploitation.

     

    The libvpx bug was previously patched by Google in the Chrome web browser and by Microsoft in its Edge, Teams, and Skype products.

     

    CVE-2023-5217 was discovered by security researcher Clément Lecigne who is part of Google's Threat Analysis Group (TAG), a team of security experts known for often finding zero-days abused in government-backed targeted spyware attacks targeting high-risk individuals.

    17 zero-days exploited in attacks fixed this year

    CVE-2023-42824 is the 17th zero-day vulnerability exploited in attacks that Apple has fixed since the start of the year.

     

    Apple also recently patched three other zero-day bugs (CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993) reported by Citizen Lab and Google TAG researchers and exploited in spyware attacks to install Cytrox's Predator spyware.

     

    Citizen Lab disclosed two other zero-days (CVE-2023-41061 and CVE-2023-41064)—fixed by Apple last month—abused as part of a zero-click exploit chain (dubbed BLASTPASS) to infect fully patched iPhones with NSO Group's Pegasus spyware.

     

    Since January 2023, Apple has addressed a total of 17 zero-days exploited to target iPhones and Macs, including:

     

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...