By Sergiu Gatlan October 4, 2023 02:19 PM
Apple released emergency security updates to patch a new zero-day security flaw exploited in attacks targeting iPhone and iPad users.
“Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.6,” the company said in an advisory issued on Wednesday.
The zero-day (CVE-2023-42824) is caused by a weakness discovered in the XNU kernel that enables local attackers to escalate privileges on unpatched iPhones and iPads.
While Apple said it addressed the security issue in iOS 17.0.3 and iPadOS 17.0.3 with improved checks, it has yet to reveal who found and reported the flaw.
The list of impacted devices is quite extensive, and it includes:
iPhone XS and later
iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later
Apple also addressed a zero-day tracked as CVE-2023-5217 and caused by a heap buffer overflow weakness in the VP8 encoding of the open-source libvpx video codec library, which could allow arbitrary code execution following successful exploitation.
The libvpx bug was previously patched by Google in the Chrome web browser and by Microsoft in its Edge, Teams, and Skype products.
CVE-2023-5217 was discovered by security researcher Clément Lecigne who is part of Google’s Threat Analysis Group (TAG), a team of security experts known for often finding zero-days abused in government-backed targeted spyware attacks targeting high-risk individuals.
17 zero-days exploited in attacks fixed this year
CVE-2023-42824 is the 17th zero-day vulnerability exploited in attacks that Apple has fixed since the start of the year.
Apple also recently patched three other zero-day bugs (CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993) reported by Citizen Lab and Google TAG researchers and exploited in spyware attacks to install Cytrox’s Predator spyware.
Citizen Lab disclosed two other zero-days (CVE-2023-41061 and CVE-2023-41064)—fixed by Apple last month—abused as part of a zero-click exploit chain (dubbed BLASTPASS) to infect fully patched iPhones with NSO Group’s Pegasus spyware.
Since January 2023, Apple has addressed a total of 17 zero-days exploited to target iPhones and Macs, including:
two zero-days (CVE-2023-37450 and CVE-2023-38606) in July
three zero-days (CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439) in June
three more zero-days (CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373) in May
two zero-days (CVE-2023-28206 and CVE-2023-28205) in April
and another WebKit zero-day (CVE-2023-23529) in February
Today’s iOS 17.0.3 release also addresses a known issue causing iPhones running iOS 17.0.2 and lower to overheat.
“This update provides important bug fixes, security updates, and addresses an issue that may cause iPhone to run warmer than expected,” Apple said.
Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, Axcient
“Where Service and Technical Skills Count”
New Site Status Page (https://cloudstatus.mspportalpartners.net)