Executive Summary
Apple has released security patches for 2 vulnerabilities that are actively being exploited.
Both vulnerabilities have been addressed in the latest iOS and iPadOS updates (17.0.3).
CVE-2023-42824 allows a local attacker to gain elevated privileges.
CVE-2023-5217 in WebRTC exposes mobile devices to arbitrary code execution attacks.
Users are strongly advised to promptly update their iOS and iPadOS operating systems.
Additionally, Apple recommends enabling Lockdown Mode to reduce the risk of being targeted by mercenary spyware exploits.
Vulnerabilities
- Affected Component: Kernel
- Impact: Allows a local attacker to elevate privileges
- CVSS: Not announced, pending further analysis
- Affected Software Versions: Versions of iOS before iOS 16.6
- Patched Software Versions: iOS 17.0.3 and iPadOS 17.0.3
Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.6
Apple stated, without offering further details.
- Affected Component: WebRTC
- Impact: Heap-based buffer overflow in the VP8 compression format in libvpx
- CVSS: 8.8
- Affected Software Versions: Not specified
- Patched Software Versions: iOS 17.0.3 and iPadOS 17.0.3
Please note that VP8 is supported by various Chromium-based browsers. Earlier, Google and Microsoft released patches to fix this exploited vulnerability. For more information, please refer to our related news:
For more information about Apple’s security patch, please refer to Apple’s advisory.
Other Recent Apple Vulnerabilities
Apple continues to face ongoing struggles with zero-day exploits on its software, with numerous actively exploited vulnerabilities addressed since the beginning of the year.
Two weeks prior to this update, fixes were rolled out to resolve three issues: CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993. They were allegedly abused by an Israeli spyware company named Cytrox to deliver the Predator malware. Please see our news for more information about these fixes.
- Mental Health Company Pays $7M for Not Safeguarding Data
- German Lawmakers Probe Microsoft Over Russian Hacking Incident
- Highlights from the 2023 Fortinet Security Summit
- Nissan Oceania Under Cyberattack
- Tech Giants Pledge Against Deepfake Threat in Elections
- Cybersecurity Awareness Month: Secure Our World