Apple released new emergency security updates on Wednesday to patch two new zero-day vulnerabilities known to be exploited in attacks.
"Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.6," the company said in an advisory issued on Wednesday.
The first zero-day (CVE-2023-42824) is caused by a weakness discovered in the XNU kernel that enables local attackers to escalate privileges on unpatched iPhones and iPads.
While Apple said it addressed the security issue in iOS 17.0.3 and iPadOS 17.0.3 with improved checks, it has yet to reveal who found and reported the flaw.
The list of impacted devices is quite extensive, and it includes:
- iPhone XS and later
- iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later
Apple also addressed a bug tracked as CVE-2023-5217 and caused by a heap buffer overflow weakness in the VP8 encoding of the open-source libvpx video codec library, which could allow arbitrary code execution following successful exploitation.
While Apple didn't tag it as exploited in the wild, the libvpx bug was previously patched as a zero-day by Google in the Chrome web browser and by Microsoft in its Edge, Teams, and Skype products.
CVE-2023-5217 was discovered by security researcher Clément Lecigne who is part of Google's Threat Analysis Group (TAG), a team of security experts known for often finding zero-days abused in government-backed targeted spyware attacks targeting high-risk individuals.
18 zero-days exploited in attacks fixed this year
CVE-2023-42824 is the 17th zero-day vulnerability exploited in attacks that Apple has fixed since the start of the year.
Apple also recently patched three other zero-day bugs (CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993) reported by Citizen Lab and Google TAG researchers and exploited in spyware attacks to install Cytrox's Predator spyware.
Citizen Lab disclosed two other zero-days (CVE-2023-41061 and CVE-2023-41064)—fixed by Apple last month—abused as part of a zero-click exploit chain (dubbed BLASTPASS) to infect fully patched iPhones with NSO Group's Pegasus spyware.
Since January 2023, Apple has addressed a total of 18 zero-days exploited to target iPhones and Macs, including:
- two zero-days (CVE-2023-37450 and CVE-2023-38606) in July
- three zero-days (CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439) in June
- three more zero-days (CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373) in May
- two zero-days (CVE-2023-28206 and CVE-2023-28205) in April
- and another WebKit zero-day (CVE-2023-23529) in February
Today's iOS 17.0.3 release also addresses a known issue causing iPhones running iOS 17.0.2 and lower to overheat.
"This update provides important bug fixes, security updates, and addresses an issue that may cause iPhone to run warmer than expected," Apple said.
Comments
IhateMicroSoft - 7 months ago
This build also addresses the issue with 15's overheating.
Hmm888 - 7 months ago
"This build also addresses the issue with 15's overheating."
Nope. It doesn't.
If what Apple claims is 100% accurate and the overheating is strictly a software issue then the app developers still have to fix their apps. And if part of the problem is in fact the case, then this won't be fixed (assuming Apple doesn't throttle the iPhone's CPU).
RaunchyButts - 7 months ago
"Zero-days?"
No. English has lots of descriptive words. Try some.
deejinoz - 7 months ago
Zero-day is a perfectly acceptable term, used in the field of cybersecurity .
https://www.google.com/gasearch?q=zero-day%20definition&tbm=&source=sh/x/gs/m2/5
Hmm888 - 7 months ago
""Zero-days?"
No. I English has lots of descriptive words. Try some."
I like the current buzz words like bolstered, amazing, jaw-dropping or jaw breaking, immersed, and game changer (and their variants).
Haha. Actually, I don't, but it seems I'm in the minority and those who can't think independently and critically like to parrot or emulate words and behaviors of others to conform to our wonderful unhinged society.
Hmm888 - 7 months ago
Deja vu.
perry8 - 7 months ago
Is iOS 16.7 vulnerable to the CVEs listed in 17.0.3?
LittleRed333 - 7 months ago
I have no idea what any of these terms mean except that it’s bad and I’m not sure if it would have anything to do with why my iPhone 13 Pro has been so bad. Like it has said that a new device logged into my home WiFi and many other apps and sites too I believe. My old iPhone 6S+ I had before this new one Apple was sharing my screen and told me that my phone had a poltergeist in it! I’m pretty sure that when I transferred my information from my old phone to this phone that the poltergeist came with it because it just goes into the pinwheel of death like it’s going to start powering down but doesn’t and it does that usually at least a few times a week or so. I’ve tried to call and talk to Apple support and nobody can really figure it out without me factory resetting the whole phone except for the last guy said to just keep deleting 5 to 10 apps a day until it stops behaving like that so I’ve been trying that and it used to go the pinwheel thing every day so it’s progress. I think that this whole erasing my Apple ID password and then calling itself a new device along with other websites and apps like blockchain I think maybe it’s got to do with all of these issues that you all were talking about! I am going to make sure my phone is updated all the way and maybe it will work, will see fingers crossed
TazAholic4Life - 7 months ago
READ THIS!!!
I alerted apple about getting hacked mid august, when I was on ios 16.5 iphone 12 pro max. They got my passwords and have tried to use it. They were basically invisible to and started deleting most used apps and other stuff. I Resest my phone as saw a spy sometyhing from a load glitch, that left me fighting to get back my phone. I called apple support, as suddenly I couldn't use my apple ID account, as it's password had been reset, to some 28 digit code, that is key to apparently un-encrypt my account and icloud, with 20,000 photos of my daughters growing up. which was devastaating and the feeling that this could happen, still upsets me. BUT THAT IS NOT ALL!!! my account was put in lockdown, and I could not pay my applecare insurance, effectively making me an android user son, as disabled and can't afford iphone again. Which sucks as Beats android by a mile, I was a top supporter and got 20+ people to buy their product instead in my life from iphone 2 to now. I fail to see how this code, is my faults, but was made to feel, "I should be more careful with my passwords! as they know what I'm decribing is real, I then broke phone rest the way, and had replaced before applecare was let run out by them. Now tell me, HOW DOES THE APPLE ID REPLACE MY LICENSE, SOCIAL, AND STUFF, EVEN In person as got replaced at apple store. where one support lead told me, I'll get a new applecare as new phone. I got home and recalled the applecare, but nobody would, even right in front of there staff with ID and PROOF! I was myself! I then call support several times, as I got different answers each time, and was praying for that one customer service rep, that cares. She said on 3rd try, that she just needs the replaced proof and can change date and get me on insured iphone again. But next day I called back to get a line of Huh, nope, and the like. I bought the phone for calling and it has other uses, So how can they justify just not letting me pay vvia debit card... Oh and the 100 on applepay wallet they kept also. Oh here is a tip, call in a replacement, but then after telling them it has a cracked screen or back, or whatever... but then say you think you'll wait. this gives you an extra month if you have a similar issue, and they held al cards to let applecare lapse. I bought phone with my ID... and the password or death to account code, that I'd never add to account, as bad with losing stuff like that. and lose everything? hell no... They have gone downhill for customer support since steve jobs died.