Apple has released an emergency security update to address two newly discovered zero-day vulnerabilities that have been actively exploited to attack iPhones and iPads.
The first zero-day (CVE-2023-42824) is a kernel vulnerability that could allow an attacker to elevate their privileges on an unpatched device. The second zero-day (CVE-2023-5217) is a heap buffer overflow vulnerability in the VP8 video codec library. Exploiting this vulnerability could lead to the execution of arbitrary code.
Apple has not confirmed any in-the-wild exploitation of the libvpx bug, but it is worth noting that Google and Microsoft have previously patched it as a zero-day in their products.
The latest security update is available for all devices running iOS 17.0.3 and iPadOS 17.0.3 or later. Apple urges all users to install the update as soon as possible.
This marks the 17th zero-day vulnerability exploited in attacks that Apple has remedied since the start of the year. Apple has also recently resolved three other zero-day vulnerabilities (CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993), reported by Citizen Lab and Google TAG researchers. These vulnerabilities had been exploited in spyware attacks to deploy Cytrox’s Predator spyware.
Citizen Lab had previously disclosed two additional zero-days (CVE-2023-41061 and CVE-2023-41064), which Apple addressed last month. These zero-days were abused as part of a zero-click exploit chain, dubbed BLASTPASS, designed to infect fully patched iPhones with NSO Group’s Pegasus spyware.
In total, since January 2023, Apple has confronted 18 zero-days used to target iPhones and Macs.
Apple’s swift response to these zero-days is commendable. The company is clearly committed to protecting its users from emerging threats. However, the sheer number of zero-days that have been exploited this year is a reminder that the threat landscape is constantly evolving.
The best way to protect yourself from zero-day vulnerabilities is to keep your software up to date. Apple and other software developers regularly release security updates to patch known vulnerabilities. It is important to install these updates as soon as they are available.
In addition, users should be cautious about what apps they install and what websites they visit. Only install apps from trusted sources, and avoid visiting websites that are known to be malicious.
Finally, users should be aware of the latest phishing scams and social engineering attacks. Attackers often use these tactics to trick users into revealing sensitive information or clicking on malicious links.