Apple has revealed safety updates for older iPhones and iPads to backport patches launched one week in the past, addressing two zero-day vulnerabilities exploited in assaults.
“Apple is conscious of a report that this difficulty could have been actively exploited towards variations of iOS earlier than iOS 16.6,” the corporate stated in an advisory.
The primary zero-day (tracked as CVE-2023-42824) is a privilege escalation vulnerability brought on by a weak point within the XNU kernel that may let native attackers elevate privileges on susceptible iPhones and iPads.
Apple has now additionally fastened the difficulty in iOS 16.7.1 and iPadOS 16.7.1 with improved checks, nevertheless it has but to disclose who found and reported the flaw.
The second, a bug recognized as CVE-2023-5217, is brought on by a heap buffer overflow vulnerability throughout the VP8 encoding of the open-source libvpx video codec library. This flaw may let risk actors achieve arbitrary code execution upon profitable exploitation.
Though Apple didn’t affirm any cases of exploitation within the wild, Google beforehand patched the libvpx bug as a zero-day in its Chrome internet browser. Microsoft additionally addressed the identical vulnerability in its Edge, Groups, and Skype merchandise.
Google attributed the invention of CVE-2023-5217 to safety researcher Clément Lecigne, a member of Google’s Risk Evaluation Group (TAG), a crew of safety consultants recognized for uncovering zero-days exploited in state-backed focused spy ware assaults aimed toward high-risk people.
The listing of gadgets impacted by the 2 zero-day bugs is in depth, and it contains:
- iPhone 8 and later
- iPad Professional (all fashions), iPad Air third era and later, iPad fifth era and later, and iPad mini fifth era and later
CISA added the 2 vulnerabilities [1, 2] to its Recognized Exploited Vulnerabilities Catalog final week, ordering federal businesses to safe their gadgets towards incoming assaults.
Apple additionally lately addressed three zero-days (CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993) that researchers from Citizen Lab and Google TAG reported. Risk actors exploited them to deploy Cytrox’s Predator spy ware.
Moreover, Citizen Lab discovered two different zero-day vulnerabilities (CVE-2023-41061 and CVE-2023-41064) that had been fastened by Apple final month.
These flaws had been exploited as a part of a zero-click exploit chain often known as BLASTPASS and used to put in NSO Group’s Pegasus spy ware on absolutely patched iPhones.
For the reason that begin of the yr, Apple patched 18 zero-day vulnerabilities exploited within the wild to focus on iPhones and Macs, together with:
