Apple launched emergency safety updates to patch a brand new zero-day safety flaw exploited in assaults concentrating on iPhone and iPad customers.
“Apple is conscious of a report that this concern might have been actively exploited in opposition to variations of iOS earlier than iOS 16.6,” the corporate stated in an advisory issued on Wednesday.
The zero-day (CVE-2023-42824) is brought on by a weak point found within the XNU kernel that allows native attackers to escalate privileges on unpatched iPhones and iPads.
Whereas Apple stated it addressed the safety concern in iOS 17.0.3 and iPadOS 17.0.3 with improved checks, it has but to disclose who discovered and reported the flaw.
The checklist of impacted units is kind of in depth, and it consists of:
- iPhone XS and later
- iPad Professional 12.9-inch 2nd technology and later, iPad Professional 10.5-inch, iPad Professional 11-inch 1st technology and later, iPad Air third technology and later, iPad sixth technology and later, and iPad mini fifth technology and later
Apple additionally addressed a zero-day tracked as CVE-2023-5217 and brought on by a heap buffer overflow weak point within the VP8 encoding of the open-source libvpx video codec library, which may enable arbitrary code execution following profitable exploitation.
The libvpx bug was beforehand patched by Google within the Chrome internet browser and by Microsoft in its Edge, Groups, and Skype merchandise.
CVE-2023-5217 was found by safety researcher Clément Lecigne who’s a part of Google’s Risk Evaluation Group (TAG), a workforce of safety specialists identified for sometimes discovering zero-days abused in government-backed focused adware assaults concentrating on high-risk people.
17 zero-days exploited in assaults fastened this yr
CVE-2023-42824 is the seventeenth zero-day vulnerability exploited in assaults that Apple has fastened because the begin of the yr.
Apple additionally lately patched three different zero-day bugs (CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993) reported by Citizen Lab and Google TAG researchers and exploited in adware assaults to set up Cytrox’s Predator adware.
Citizen Lab disclosed two different zero-days (CVE-2023-41061 and CVE-2023-41064)—fastened by Apple final month—abused as a part of a zero-click exploit chain (dubbed BLASTPASS) to contaminate totally patched iPhones with NSO Group’s Pegasus adware.
Since January 2023, Apple has addressed a complete of 17 zero-days exploited to goal iPhones and Macs, together with:
At present’s iOS 17.0.3 launch additionally addresses a identified concern inflicting iPhones operating iOS 17.0.2 and decrease to overheat.
“This replace offers vital bug fixes, safety updates, and addresses a problem that will trigger iPhone to run hotter than anticipated,” Apple stated.