Governance & Risk Management , Patch Management , Vulnerability Assessment & Penetration Testing (VA/PT)
Apple Fixes iOS Kernel Zero-Days Being Exploited in the Wild
Real-World Scenarios Are Sketchy But Researchers Warn: 'Assume Spyware; Update Now'Apple pushed out an emergency security update for two critical zero-day flaws that attackers are using to carry out memory corruption attacks on iPhone and iPad devices.
See Also: Securing Hybrid Infrastructures
The tech giant in a Tuesday urgent security release fixed four vulnerabilities. Two critical flaws, identified as CVE-2024-23225 and CVE-2024-23296, allow attackers arbitrary read and write capabilities in the kernel and circumvent kernel memory protections.
The exploitation of these vulnerabilities in real-world scenarios remains uncertain. Specifics of the attacks or the threat actors involved are unclear. Apple has stated that both weaknesses have been mitigated through enhanced validation implemented in iOS 17.4, iPadOS 17.4, iOS 16.7.6 and iPadOS 16.7.6.
Cybersecurity expert Paul Ducklin advised users to assume this vulnerability is critical and urged them to patch immediately.
The mention of kernel-level memory protection bypass "implies that there are iPhone and iPad spyware implants on the loose," Ducklin said.
Apple's security bulletin includes other unclear wording: "Additional CVE entries coming soon." It does not explain whether those additional CVEs will be related to the read-and-write kernel exploit being used by adversaries or other CVEs related to an entirely different family of bugs, Ducklin said.
The Apple patch comes on the same day that the U.S. Department of the Treasury announced its first-ever set of sanctions against a commercial spyware vendor after technology developed by the Greece-based Intellexa Consortium was used to target U.S. government officials, journalists and policy experts (see: US Announces First-Ever Sanctions Against Commercial Spyware).
"The proliferation of commercial spyware poses distinct and growing security risks to the United States and has been misused by foreign actors to enable human rights abuses and the targeting of dissidents around the world for repression and reprisal," the announcement said.
The release of a fix for the latest two zero-day vulnerabilities marks the second round of patches this year of in-the-wild, exploited Apple zero-days.* Apple addressed the first zero-day of 2024 in January. It was a type confusion issue in the WebKit, an open-source web browser engine, that allowed attackers remote code execution rights in iPhones, Macs and Apple TVs.
The iPhone manufacturer in 2023 addressed more than a dozen zero-days that were exploited in real-world attacks.
*Correction March 7, 2024 21:05 UTC: Corrected to state that this is the second round of zero days that Apple has patched this year while the total number of zero days the company has fixed adds up to three.