Apple fixes two actively exploited iOS zero-days (CVE-2024-23225, CVE-2024-23296)
Apple has fixed two iOS zero-day vulnerabilities (CVE-2024-23225, CVE-2024-23296) exploited by attackers in the wild.
CVE-2024-23225 and CVE-2024-23296
On Tuesday, Apple released security updates for all three supported branches of iOS and iPadOS.
iOS and iPadOS 17.4 carry fixes for four vulnerabilities:
- Two affecting the privacy of users (allowing an app to read sensitive location information and making users’ locked tabs visible)
- CVE-2024-23225, a memory corruption issue in the OSes’ kernel that could allow attackers to bypass kernel memory protections
- CVE-2024-23296, a memory corruption issue in RTKit (Apple’s proprietary embedded/real-time operating system) that may also allow attackers to bypass kernel memory protections
CVE-2024-23225 has also been fixed in iOS/iPadOS 16.7.6. “Additional CVE entries [are] coming soon,” Apple noted for both updates.
The iOS/iPadOS 15.8.2 update has currently no associated CVEs.
While it’s usual for Apple to refrain from sharing any details about in-the-wild attacks leveraging their zero-days, they usually acknowledge the person/research team that reported them – but not this time.
The importance of patching
Zero-days in iOS are often exploited by mobile spyware makers to saddle targets with malware capable of extracting sensitive data from their iPhones and to spy on conversations.
This pricy spyware is used sparingly to compromise specific targets, so it isn’t something most users need to worry about.
Still, with Apple having been forced to allow third-party app stores for iOS apps in Europe, malicious apps occasionally lurking on its App Store, and threat actors increasingly developing and looking for malware able to run on iOS and macOS, regularly updating your Apple devices is definitely becoming even more important.
UPDATE (March 8, 2024, 04:50 a.m. ET):
On Thursday, Apple released updates for macOS, watchOS, tvOS, visionsOS and Safari.
The two zero-days (CVE-2024-23225, CVE-2024-23296) previously patched in iOS are also addressed in the updates for macOS Sonoma, watchOS, tvOS and visionOS, while Monterey and Ventura received a patch only for CVE-2024-23225.
The company urges users to update to the following versions:
- Safari 17.4
- macOS Sonoma 14.4
- macOS Ventura 13.6.5
- macOS Monterey 12.7.4
- watchOS 10.4
- tvOS 17.4
- visionOS 1.1
The company has also updated the list of vulnerabilities fixed in the iOS/iPadOS updates released on Tuesday.