Apple has rushed out an emergency patch for a vulnerability it says may have been exploited.
In its typically tight-lipped advisory, Apple did not detail the nature of the vulnerability, which is designated CVE-2023-42824.
It says only that the issue affects “iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later”.
It’s a local privilege escalation vulnerability in the kernel, which “may have been actively exploited against versions of iOS before iOS 16.6.”
The emergency patch also includes mitigation of a second vulnerability, CVE-2023-5217.
This vulnerability is a bug in the libvpx video codec library from Google and the Alliance for Open Media.
It’s a heap buffer overflow and according to Mozilla, was first reported by Clément Lecigne of Google’s Threat Analysis Group.
“Specific handling of an attacker-controlled VP8 media stream could lead to a heap buffer overflow in the content process,” resulting in remote code execution, Mozilla’s advisory stated.
Mozilla said it was aware of the issue being exploited “in other products in the wild”.
Apple’s advisory said the issue was addressed by updating to libvpx 1.13.1.