Η Apple released emergency security updates to patch a security vulnerability in the new zero-day vulnerability, used in attacks against iPhone and iPad users.
Apple has learned that this problem may have been used against devices running versions of the iOS before iOS 16.6.
It is a vulnerability in XNU kernel and monitored as CVE-2023-42824. Allows local attackers to obtain more privileges on non-updated iPhones and iPads.
Although Apple reports that the security issue has been addressed in the new version iOS 17.0.3 and iPadOS 17.0.3, has not yet revealed who discovered and reported the vulnerability.
See also: Qualcomm: Hackers exploit 3 zero-days in GPU and DSP programs
The list of affected devices is quite extensive and includes:
- iPhone XS and later
- iPad Pro 12.9-inch 2nd generation and later models, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later
Apple also encountered a zero-day identified as CVE-2023-5217 and is caused by a weakness heap buffer overflow in the VP8 encoding of the open-source libvpx video codec library. This vulnerability could allow code execution.
The libvpx problem has been fixed by Google in Chrome and by Microsoft in their products Edge, Teams and Skype. Companies have responded effectively to this vulnerability by providing the necessary updates to address it. CVE-2023-5217 was discovered by security researcher Clément Lecigne, who is a member of Google's Threat Analysis Group (TAG), a team of experts Security known for finding zero-day vulnerabilities that government hackers use for targeted spyware attacks.
See also: Exim: Fixes three zero-day vulnerabilities
Apple: It has fixed 17 zero vulnerabilities-day this year
CVE-2023-42824 is the 17th zero-day vulnerability that Apple has patched since the beginning of this year.
Recently, the company fixed three other zero-day vulnerabilities (CVE-2023-41991, CVE-2023-41992 and CVE-2023-41993) reported by Citizen Lab and Google TAG that were used in attacks to install Predator Cytrox spyware.
Citizen Lab has uncovered two other vulnerabilities (CVE-2023-41061 and CVE-2023-41064) - which were patched by Apple last month - that were used as part of a zero-click exploit chain (under the name BLASTPASS) for infecting fully updated iPhones with spyware Pegasus of the NSO Group.
The other vulnerabilities that have been used against iPhones and Macs, this year, are the following:
- two zero-days (CVE-2023-37450 and CVE-2023-38606) in July
- three zero-days (CVE-2023-32434, CVE-2023-32435 and CVE-2023-32439) in June
- three zero-days (CVE-2023-32409, CVE-2023-28204 and CVE-2023-32373) in May
- two zero-days (CVE-2023-28206 and CVE-2023-28205) in April
- and another WebKit zero-day (CVE-2023-23529) in February
This new security update is an important step for Apple in its ongoing effort to ensure that its users are protected from various threats. The new zero-day that recently became known is a perfect example. To counter this zero-day threat, Apple developed and made available a special software update.
See also: Google: fixes the fifth Chrome zero-day for this year
It is also important to keep in mind that security should not be limited to updating software. Often, users need to follow other practices, such as using strong passwords, avoiding suspicious links and managing personal information wisely, to maintain the Security of the devices and their data.
Apple's new iOS 17.0.3 version addresses, in addition to zero-day, a known problem that causes overheating on iPhones running iOS 17.0.2 and lower.
Source : www.bleepingcomputer.com
