March 6, 2024 at 01:03AM
Apple has released security updates to fix actively exploited vulnerabilities, CVE-2024-23225 and CVE-2024-23296, in its iOS and iPadOS, addressing them with improved validation. The flaws can be exploited by attackers to bypass kernel memory protections. This development adds to a total of three zero-days that Apple has addressed since the start of the year.
From the meeting notes, the key takeaways are:
1. Apple has released security updates to address several vulnerabilities, including two actively exploited ones, listed as CVE-2024-23225 and CVE-2024-23296.
2. These vulnerabilities allow an attacker with arbitrary kernel read and write capability to bypass kernel memory protections and have been addressed with improved validation in iOS 17.4, iPadOS 17.4, iOS 16.7.6, and iPadOS 16.7.6.
3. The updates cover a range of devices, including iPhone 8 and later, iPad 5th generation and later, and iPad Pro models.
4. Apple has now addressed a total of three actively exploited zero-days in its software since the beginning of the year, including a previously addressed type confusion flaw in WebKit (CVE-2024-23222).
5. CISA has added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to apply necessary updates by March 26, 2024. These vulnerabilities affect Android Pixel devices (CVE-2023-21237) and Sunhillo SureLine (CVE-2021-36380).
These takeaways capture the critical points from the article for further discussion or action items.