Article Details
Scrape Timestamp (UTC): 2023-10-04 18:22:27.097
Original Article Text
Click to Toggle View
Apple emergency update fixes new zero-day used to hack iPhones. Apple released emergency security updates to patch a new zero-day security flaw exploited in attacks targeting iPhone and iPad users. "Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.6," the company said in an advisory issued on Wednesday. The zero-day (CVE-2023-42824) is caused by a weakness discovered in the XNU kernel that enables local attackers to escalate privileges on unpatched iPhones and iPads. While Apple said it addressed the security issue with improved checks, it has yet to reveal who found and reported the flaw. The list of impacted devices is quite extensive, and it includes: Apple also addressed a zero-day tracked as CVE-2023-5217 and caused by a heap buffer overflow weakness in the VP8 encoding of the open-source libvpx video codec library, which could allow arbitrary code execution following successful exploitation. The libvpx bug was previously patched by Google in the Chrome web browser and by Microsoft in its Edge, Teams, and Skype products. CVE-2023-5217 was discovered by security researcher Clément Lecigne who is part of Google's Threat Analysis Group (TAG), a team of security experts known for often finding zero-days abused in government-backed targeted spyware attacks targeting high-risk individuals. 17 zero-days exploited in attacks fixed this year CVE-2023-42824 is the 17th zero-day vulnerability exploited in attacks that Apple has fixed since the start of the year. Apple also recently patched three other zero-day bugs (CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993) reported by Citizen Lab and Google TAG researchers and exploited in spyware attacks to install Cytrox's Predator spyware. Citizen Lab disclosed two other zero-days (CVE-2023-41061 and CVE-2023-41064)—fixed by Apple last month—abused as part of a zero-click exploit chain (dubbed BLASTPASS) to infect fully patched iPhones with NSO Group's Pegasus spyware. Since January 2023, Apple has addressed a total of 17 zero-days exploited to target iPhones and Macs, including:
Daily Brief Summary
Apple released emergency security updates to patch a zero-day flaw exploited in attacks which targeted iPhone and iPad users, this strong issue is caused by a weakness in the XNU kernel.
Devices including models of iPhone, iPad and iPod touch were impacted by this vulnerability, significantly identified as CVE-2023-42824.
An additional zero-day vulnerability, tracked as CVE-2023-5217, was also addressed; it is associated with a heap buffer overflow in the VP8 encoding of the open-source libvpx video codec library, found and reported by Google's Threat Analysis Group (TAG).
Over the course of the year, Apple has fixed 17 zero-day vulnerabilities exploited in attacks including three (CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993) recently patched, these were used in spyware attacks to install Cytrox's Predator spyware.
Citizen Lab recently disclosed two zero-days (CVE-2023-41061 and CVE-2023-41064) that were fixed by Apple, they were used in zero-click exploit chains to infect fully patched iPhones with NSO Group's Pegasus spyware.
Although Apple has addressed these issues with improved checks, the company has not yet identified the parties who discovered and reported the initial flaw.