Apple Issues Patch for Critical Zero-Day in iPhones

23.01.2024

 

On Monday, Apple issued security updates across various platforms, including iOS, iPadOS, macOS, tvOS, and Safari web browser, to address a recently discovered zero-day vulnerability that has been actively exploited. The identified issue, designated as CVE-2024-23222, is categorized as a type confusion bug. Exploitation of this bug could allow a malicious actor to execute arbitrary code by manipulating web content. Apple reported that the flaw has been remedied through enhanced checks.

Type confusion vulnerabilities, like the one addressed in this update, have the potential to be leveraged for out-of-bounds memory access, crashes, and arbitrary code execution.

While Apple acknowledged being “aware of a report that this issue may have been exploited,” specific details regarding the nature of the attacks or the identity of threat actors were not disclosed in the brief advisory.

The security updates are applicable to the following devices and operating systems:

  • iOS 17.3 and iPadOS 17.3 (iPhone XS and later, various iPad models)
  • iOS 16.7.5 and iPadOS 16.7.5 (iPhone 8, iPhone 8 Plus, iPhone X, and specific iPad models)
  • macOS Sonoma 14.3 (Macs running macOS Sonoma)
  • macOS Ventura 13.6.4 (Macs running macOS Ventura)
  • macOS Monterey 12.7.3 (Macs running macOS Monterey)
  • tvOS 17.3 (Apple TV HD and Apple TV 4K, all models)
  • Safari 17.3 (Macs running macOS Monterey and macOS Ventura)

 

This development marks Apple’s first response to an actively exploited zero-day vulnerability in the current year. In the previous year, Apple addressed a total of 20 zero-days that were actively used in real-world attacks.

Additionally, Apple has retroactively applied fixes for CVE-2023-42916 and CVE-2023-42917, vulnerabilities for which patches were released in December 2023. These fixes have been extended to older devices, including iPhone 6s, iPhone 7, iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation).

This announcement comes on the heels of a separate report revealing that Chinese authorities utilized known vulnerabilities in Apple’s AirDrop functionality to aid law enforcement in identifying individuals sending inappropriate content, employing a technique based on rainbow tables.

 
 
 

Other news

Cloudflare Breach: Nation-State Hackers Access Source Code and Internal Docs

Cloudflare has revealed that it was the target of a likely nation-state attack in which the threat actor leveraged stolen credentials to gain unauthorized access to its Atlassian server and ultimately access some documentation and a limited amount of source code.

Read More

U.S. Cybersecurity Agency Warns of Actively Exploited Ivanti EPMM Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a now-patched critical flaw impacting Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core to its Known Exploited Vulnerabilities (KEV) catalog, stating it’s being actively exploited in the wild.

Read More
en_USEnglish