Apple has released security updates to fix several security flaws, including two vulnerabilities that the company says were actively exploited.
Apple rolled out an urgent software update on March 5, 2024 to fix several security flaws in its flagship iOS platform and warned that there was evidence of zero-day exploits in the wild.
The Cupertino manufacturer sent several updates to its mobile operating system – iOS 17.4, iPadOS 17.4 and iOS 16.7.6 – to cover security flaws and confirmed the exploitation in the wild with a terse note: ” Apple is aware of a report that this issue may have been exploited “.
Two vulnerabilities exploited
It’s not yet clear how these flaws are being exploited, but Apple said both vulnerabilities have been fixed through enhanced validation in iOS 17.4, iPadOS 17.4, iOS 16.7.6, and iPadOS 16.7.6.
- Kernel (CVE-2024-23225) – An attacker with arbitrary kernel read and write capability may be able to bypass kernel memory protections. Apple is aware of a report indicating that this issue may have been exploited. Description: A memory corruption issue has been fixed with improved validation.
- RTKit (CVE-2024-23296) – An attacker with arbitrary kernel read and write capabilities may be able to bypass kernel memory protections. Apple is aware of a report indicating that this issue may have been exploited. A memory corruption issue has been resolved with improved validation.
The company classified the kernel flaw as “exploited” on older versions of iOS.
Updates available
The Cupertino company has put the updates on its customer support for download:
- iOS 16.7.6 and iPadOS 16.7.6 – iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch and iPad Pro 12.9-inch 1st generation
- iOS 17.4 and iPadOS 17.4 – iPhone 6th generation and later, and iPad mini 5th generation and later.
More flaws to come?
Apple also fixed a privacy flaw in Accessibility that could allow apps to read sensitive location information, as well as a Private Browsing bug in Safari that exposed a user’s locked tabs when swiping from one tab group to another when Locked Private Browsing was enabled.
The company said CVEs describing other vulnerabilities would be added to the advisory later, suggesting that many more fixes have not yet been documented.
With this latest development, Apple has fixed a total of three actively exploited security vulnerabilities in its software since the start of the year. In late January 2024, it closed a type confusion vulnerability in WebKit (CVE-2024-23222) affecting iOS, iPadOS, macOS, tvOS and the Safari web browser, which could lead to arbitrary code execution.
The development comes as the US Cybersecurity and Infrastructure Security Agency (CISA) added two vulnerabilities to its catalog of known exploited vulnerabilities (KEV), urging federal agencies to apply the necessary updates by the 26 March 2024.
Despite solid native protection, the iPhone is not immune to all cyber threats. Using an antivirus security suite is essential to benefit from reliable protection. Close-up on best antivirus apps for iPhone in March 2024.
Read more
Source : Security Week, Apple
0