March 5, 2024 at 04:36PM
Apple issued emergency security updates to address two iOS zero-day vulnerabilities that allowed for attacks on iPhones, with potential exploitation acknowledged. The bugs in the iOS Kernel (CVE-2024-23225) and RTKit (CVE-2024-23296) enabled attackers to bypass kernel memory protections. The company updated affected devices and advised immediate installation of the updates. This addresses the vulnerabilities used in state-sponsored spyware attacks, emphasizing the importance of prompt installation.
From the meeting notes:
– Apple released emergency security updates to fix two iOS zero-day vulnerabilities (CVE-2024-23225 in the iOS Kernel and CVE-2024-23296 in RTKit) exploited in attacks on iPhones.
– Apple addressed the security flaws for devices running iOS 17.4, iPadOS 17.4, iOS 16.76, and iPad 16.7.6 with improved input validation.
– The impacted Apple devices include a range of iPhone and iPad models.
– Apple has not disclosed who disclosed the zero-days or if they were discovered internally.
– Although Apple has not released information regarding ongoing exploitation in the wild, iOS zero-day vulnerabilities are commonly used in state-sponsored spyware attacks against high-risk individuals.
– Installing the security updates as soon as possible is advised to block potential attack attempts.
– With these two vulnerabilities, Apple has fixed three zero-days in 2024 so far, with the first in January.
– Last year, the company fixed a total of 20 zero-day flaws exploited in the wild.
Please let me know if you need any further information or if there are additional questions.