Apple launched emergency safety updates to patch a brand new zero-day safety flaw exploited in assaults concentrating on iPhone and iPad customers.
“Apple is conscious of a report that this challenge could have been actively exploited in opposition to variations of iOS earlier than iOS 16.6,” the corporate mentioned in an advisory issued on Wednesday.
The zero-day (CVE-2023-42824) is brought on by a weak point found within the XNU kernel that permits native attackers to escalate privileges on unpatched iPhones and iPads.
Whereas Apple mentioned it addressed the safety challenge in iOS 17.0.3 and iPadOS 17.0.3 with improved checks, it has but to disclose who discovered and reported the flaw.
The checklist of impacted units is sort of intensive, and it consists of:
- iPhone XS and later
- iPad Professional 12.9-inch 2nd era and later, iPad Professional 10.5-inch, iPad Professional 11-inch 1st era and later, iPad Air third era and later, iPad sixth era and later, and iPad mini fifth era and later
Apple additionally addressed a zero-day tracked as CVE-2023-5217 and brought on by a heap buffer overflow weak point within the VP8 encoding of the open-source libvpx video codec library, which might permit arbitrary code execution following profitable exploitation.
The libvpx bug was beforehand patched by Google within the Chrome internet browser and by Microsoft in its Edge, Groups, and Skype merchandise.
CVE-2023-5217 was found by safety researcher Clément Lecigne who’s a part of Google’s Menace Evaluation Group (TAG), a crew of safety consultants recognized for occasionally discovering zero-days abused in government-backed focused spy ware assaults concentrating on high-risk people.
17 zero-days exploited in assaults fastened this 12 months
CVE-2023-42824 is the seventeenth zero-day vulnerability exploited in assaults that Apple has fastened for the reason that begin of the 12 months.
Apple additionally not too long ago patched three different zero-day bugs (CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993) reported by Citizen Lab and Google TAG researchers and exploited in spy ware assaults to set up Cytrox’s Predator spy ware.
Citizen Lab disclosed two different zero-days (CVE-2023-41061 and CVE-2023-41064)—fastened by Apple final month—abused as a part of a zero-click exploit chain (dubbed BLASTPASS) to contaminate totally patched iPhones with NSO Group’s Pegasus spy ware.
Since January 2023, Apple has addressed a complete of 17 zero-days exploited to goal iPhones and Macs, together with:
Right now’s iOS 17.0.3 launch additionally addresses a recognized challenge inflicting iPhones operating iOS 17.0.2 and decrease to overheat.
“This replace offers vital bug fixes, safety updates, and addresses a problem which will trigger iPhone to run hotter than anticipated,” Apple mentioned.
