Apple has released security updates to address several security flaws, including two vulnerabilities that it said have been actively exploited in the wild.
The shortcomings are listed below -
- CVE-2024-23225 - A memory corruption issue in Kernel that an attacker with arbitrary kernel read and write capability can exploit to bypass kernel memory protections
- CVE-2024-23296 - A memory corruption issue in the RTKit real-time operating system (RTOS) that an attacker with arbitrary kernel read and write capability can exploit to bypass kernel memory protections
It's currently not clear how the flaws are being weaponized in the wild. Apple said both the vulnerabilities were addressed with improved validation in iOS 17.4, iPadOS 17.4, iOS 16.7.6, and iPadOS 16.7.6.
The updates are available for the following devices -
- iOS 16.7.6 and iPadOS 16.7.6 - iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation
- iOS 17.4 and iPadOS 17.4 - iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later
With the latest development, Apple has addressed a total of three actively exploited zero-days in its software since the start of the year. In late January 2024, it plugged a type confusion flaw in WebKit (CVE-2024-23222) impacting iOS, iPadOS, macOS, tvOS, and Safari web browser that could result in arbitrary code execution.
The development comes as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two flaws to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to apply necessary updates by March 26, 2024.
The vulnerabilities concern an information disclosure flaw affecting Android Pixel devices (CVE-2023-21237) and an operating system command injection flaw in Sunhillo SureLine that could result in code execution with root privileges (CVE-2021-36380).
Google, in an advisory published in June 2023, acknowledged it found indications that "CVE-2023-21237 may be under limited, targeted exploitation." As for CVE-2021-36380, Fortinet revealed late last year that a Mirai botnet called IZ1H9 was leveraging the flaw to corral susceptible devices into a DDoS botnet.