Update now! Apple patches vulnerabilities on iPhone and iPad


Apple has issued an emergency update to patch two vulnerabilities, including an actively exploited one.

Apple has released iOS 17.0.3, an emergency update fixing two vulnerabilities, one of which has already been exploited by cybercriminals.

The update is available for iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later.

The updates may already have reached you, but it doesn’t hurt to check you’re on the latest version of iOS. Here’s how:

  1. Go to Settings > General, then tap Software Update.
  2. If an update is available it will ask if you want to update now tonight. Chose Update Now.
  3. Enter your passcode, then tap Install Now.

Setting your device to update automatically is really the best way to stay on top of any vulnerabilities. Here’s how:

  1. Go to Settings > General, then tap Software Update.
  2. Tap Automatic Updates
  3. Toggle the settings to all be on.

Technical details

The CVEs patched in these updates are:

CVE-2023-42824: A vulnerability in the kernel. Exploitation would allow a local attacker may be able to elevate their privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.6. The issue was addressed with improved checks.

CVE-2023-5217: A heap buffer overflow in vp8 encoding in libvpx prior to 1.13.1 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. A buffer overflow is a type of software vulnerability that exists when an area of memory within a software application reaches its address boundary and writes into an adjacent memory region. In software exploit code, two common areas that are targeted for overflows are the stack and the heap. A buffer overflow may result in arbitrary code execution. The issue was addressed by updating to libvpx 1.13.1.

The vulnerability in libvpx impacted other applications as well, including Chrome, Edge, and other Chromium browsers.


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.



Source link