Apple patches another iOS zero-day under attack (CVE-2023-42824)

Apple has released a security update for iOS and iPadOS to fix another zero-day vulnerability (CVE-2023-42824) exploited in the wild.

About CVE-2023-42824

CVE-2023-42824 is a kernel vulnerability that could allow a local threat actor to elevate its privileges on affected iPhones and iPads.

“Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.6,” the company stated.

The vulnerability affects the following devices:

• iPhone XS and later
• iPad Pro 12.9-inch 2nd generation and later
• Pad Pro 10.5-inch
• iPad Pro 11-inch 1st generation and later
• iPad Air 3rd generation and later
• iPad 6th generation and later
• iPad mini 5th generation and later

The company addressed the vulnerability by releasing iOS 17.0.3 and iPadOS 17.0.3 updates, which also cover CVE-2023-5217 – a buffer overflow vulnerability in vp8 encoding in the libvpx video codec library that could allow arbitrary code execution.

Apple addressed the buffer overflow issue by updating to libvpx 1.13.1.

A glut of exploited zero-days

In the last month or so, Apple has delivered fixes for a number of actively exploited zero-days.

CVE-2023-41064 and CVE-2023-41061 were chained and exploited to deliver NSO Group’s Pegasus spyware to high-risk iPhone users.

Both vulnerabilities were reported by Citizen Lab and have been fixed in both the iOS 16 and iOS 15 branches.

In late September, Citizen Lab together with Google TAG reported three more zero-day vulnerabilities (CVE-2023-41992, CVE-2023-41991, CVE-2023-41993) affecting iOS devices. The three zero-days have been leveraged in an exploit chain to deliver Intellexa’s Predator malware to targeted iOS devices.

Apple has addressed these issues in iOS 17 and has also made updates to Lockdown Mode, a security feature that offers additional protection to high-risk users.