Apple has demonstrated that it can more than hold its own among the tech giants, at least in terms of finding itself on the wrong end of zero-day vulnerabilities.
iOS and iPadOS have again come under attack, and Apple has rushed out a fix to ward off miscreants.
The latest issues are CVE-2023-42824 and CVE-2023-5217. The latter is a week old and refers to a heap buffer overflow in the VP8 compression format in libvpx. Apple noted that the overflow could result in arbitrary code execution and fixed it by updating to libvpx 1.13.1.
The former, however, is a little more mysterious at this stage. It permits a local attacker to elevate their privileges, and Apple said it might have been actively exploited against versions of iOS before iOS 16.6.
The fix is in the kernel, and, according to Apple: “The issue was addressed with improved checks.”
Devices for which the fix – in iOS 17.0.3 and iPadOS 17.0.3 – is available include iPhones from the XS and on, the 6th generation of the iPad and later models, and the iPad Mini from the 5th generation. Apple’s description of the update can be found here. The company dropped support for older models in iOS 17.
Apple devices have come under increasing scrutiny from attackers in recent years. The company was forced to hurry out patches in the last few weeks to deal with vulnerabilities in its software, which included a privilege elevation exploit in the kernel – CVE-2023-41992.
It is not clear if CVE-2023-41992 and the latest CVE-2023-42824 are connected. Both are related to kernel privilege elevation. CVE-2023-41992 was part of a trio of security holes exploited by the Predator spyware sold by Intellexa to infect the iPhones of victims.
In the case of the Predator spyware, the suggestion was that users should update their devices immediately. Users likely to find themselves targeted should also consider enabling Lockdown Mode to ward off attackers. ®