October 12, 2023 at 12:46PM
Apple has released security updates for older iPhones and iPads to address two zero-day vulnerabilities that were being exploited in attacks. The first vulnerability allows local attackers to elevate privileges on vulnerable devices, while the second vulnerability could allow threat actors to execute arbitrary code. Although Apple has not confirmed any instances of exploitation in the wild, Google and Microsoft have previously patched the same vulnerabilities. The impacted devices include iPhone 8 and later models, as well as various iPad models. Apple has also recently addressed other zero-day vulnerabilities that were being exploited to deploy spyware. In total, Apple has patched 18 zero-day vulnerabilities this year.
According to the meeting notes, Apple has released security updates for older iPhones and iPads to address two zero-day vulnerabilities. The first vulnerability, tracked as CVE-2023-42824, is a privilege escalation vulnerability in the XNU kernel that allows local attackers to elevate privileges on vulnerable devices. The second vulnerability, identified as CVE-2023-5217, is a heap buffer overflow vulnerability in the libvpx video codec library, which could allow threat actors to execute arbitrary code. While Apple has fixed these issues, they have not disclosed who discovered and reported the vulnerabilities. Google previously patched the libvpx bug in its Chrome web browser, and Microsoft also addressed the same vulnerability in its Edge, Teams, and Skype products.
The impacted devices include iPhone 8 and later models, as well as various iPad models.
Apple has also addressed additional zero-day vulnerabilities reported by Citizen Lab and Google TAG. These vulnerabilities were exploited to deploy Cytrox’s Predator spyware. Furthermore, Citizen Lab discovered two other zero-day vulnerabilities (CVE-2023-41061 and CVE-2023-41064) that were fixed by Apple last month. These vulnerabilities were part of the BLASTPASS zero-click exploit chain used to install NSO Group’s Pegasus spyware on fully patched iPhones.
Overall, Apple has patched a total of 18 zero-day vulnerabilities targeting iPhones and Macs since the beginning of the year.