Apple has released an emergency update to fix an actively exploited zero-day vulnerability. CVE-2023-42824 is a critical severity vulnerability affecting iPhones and iPads. A local attacker can exploit the vulnerability that exists in the XNU kernel to gain privileges. Apple has fixed the vulnerability with improved checks.
Apple has mentioned in their advisories that they are aware of active exploitation of the CVE-2023-42824 in attacks against iOS versions before iOS 16.6.
The second vulnerability is CVE-2023-5217, a heap buffer overflow vulnerability in the VP8 encoding of the open-source libvpx video codec library. An attacker may exploit this vulnerability to perform arbitrary code execution. Apple has fixed the vulnerability by updating to libvpx 1.13.1.
Google has also addressed CVE-2023-5217 in its Chrome browser.
CISA acknowledged active exploitation of CVE-2023-42824 by adding it to its Known Exploited Vulnerabilities Catalog and recommended users to patch before October 26, 2023.
Zero-day vulnerabilities addressed by Apple this year so far:
- CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993 in September
- CVE-2023-41061 and CVE-2023-41064 in September
- CVE-2023-37450 and CVE-2023-38606 in July
- CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439 in June
- CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373 in May
- CVE-2023-28206 and CVE-2023-28205 in April
- CVE-2023-23529 in February
- iPhone XS and later
- iPad 6th generation and later
- iPad Air 3rd generation and later
- iPad mini 5th generation and later
- iPad Pro 12.9-inch 2nd generation and later
- iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later
Customers must upgrade to the latest iOS 17.0.3 and iPadOS 17.0.3 to patch the vulnerabilities.
For more information, please visit the Apple security advisory.
Qualys customers can scan their devices with QID 610511 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.