Apple Releases Emergency Patch for New 0-Day Vulnerability

Apple has released emergency patches to fix another zero-day vulnerability that was already being exploited in attacks targeting iPhone and iPad users. The issue was discovered in the XNU kernel and has been assigned the identifier CVE-2023-42824. According to reports, a local attacker could use this vulnerability to escalate privileges on unpatched iPhones and iPads.

Apple developers addressed the problem with the release of iOS 17.0.3 and iPadOS 17.0.3 by implementing improved checks. However, the company has not yet disclosed who reported the vulnerability or provided any technical details.

Devices Affected by CVE-2023-42824

• iPhone XS and newer
• iPad Pro 12.9-inch (2nd generation and newer)
• iPad Pro 10.5-inch
• iPad Pro 11-inch (1st generation and newer)
• iPad Air (3rd generation and newer)
• iPad (6th generation and newer)
• iPad mini (5th generation and newer)

Apple emphasizes that this vulnerability may have already been actively exploited against iOS users (up to version 16.6).

Another 0-Day Vulnerability Also Patched

Apple engineers also fixed another zero-day vulnerability, CVE-2023-5217, which was previously reported. This issue is related to a heap buffer overflow in the VP8 open-source video codec library, libvpx. Exploiting this bug could lead to anything from application crashes to arbitrary code execution on the victim’s system.

The libvpx vulnerability had already been addressed by Google in the Chrome browser, as well as by Microsoft in products such as Edge, Teams, and Skype.

Apple’s 2023 Zero-Day Vulnerability Fixes

In total, Apple has now fixed 17 zero-day vulnerabilities in its products in 2023.