Apple has fixed two iOS zero-day vulnerabilities (CVE-2024-23225, CVE-2024-23296) exploited by attackers in the wild.
CVE-2024-23225 and CVE-2024-23296
On Tuesday, Apple released security updates for all three supported branches of iOS and iPadOS.
iOS and iPadOS 17.4 carry fixes for four vulnerabilities:
- Two affecting the privacy of users (allowing an app to read sensitive location information and making users’ locked tabs visible)
- CVE-2024-23225, a memory corruption issue in the OSes’ kernel that could allow attackers to bypass kernel memory protections
- CVE-2024-23296, a memory corruption issue in RTKit (Apple’s proprietary embedded/real-time operating system) that may also allow attackers to bypass kernel memory protections
CVE-2024-23225 has also been fixed in iOS/iPadOS 16.7.6. “Additional CVE entries [are] coming soon,” Apple noted for both updates.
The iOS/iPadOS 15.8.2 update has currently no associated CVEs.
While it’s usual for Apple to refrain from sharing any details about in-the-wild attacks leveraging their zero-days, they usually acknowledge the person/research team that reported them – but not this time.
The importance of
Zero-days in iOS are often exploited by mobile spyware makers to saddle targets with malware capable of extracting sensitive data from their iPhones and to spy on conversations.
This pricy spyware is used sparingly to compromise specific targets, so it isn’t something most users need to worry about.
Still, with Apple having been forced to allow third-party app stores for iOS apps in Europe, malicious apps occasionally lurking on its App Store, and threat actors increasingly developing and looking for malware able to run on iOS and macOS, regularly updating your Apple devices is definitely becoming even more important.