Priya PatelTLDR:
Hackers have exploited two zero-day vulnerabilities in iOS and iPadOS 17.4 versions, allowing them to bypass memory protections and perform arbitrary kernel read and write on affected devices. Apple has issued patches to address these vulnerabilities (CVE-2024-23225 and CVE-2024-23296). Users are urged to install the latest security patches to prevent exploitation.
Summary:
Two new zero-day vulnerabilities have been identified in iOS and iPadOS 17.4 versions, enabling threat actors to bypass memory protections and execute arbitrary kernel read and write on targeted devices. Identified as CVE-2024-23225 and CVE-2024-23296, Apple has promptly released patches to mitigate these vulnerabilities. Although the severity of the risks posed by these vulnerabilities is still undetermined, Apple has acknowledged reports of threat actors exploiting them in the wild.
The first vulnerability, CVE-2024-23225, affects iOS kernel devices such as iPhone XS and later models, iPad Pro 12.9-inch 2nd generation and later, among others. This flaw arises from a memory corruption issue, providing threat actors with an avenue to perform arbitrary kernel read and write by circumventing kernel protections. The severity level for this vulnerability is yet to be classified.
On the other hand, CVE-2024-23296 pertains to a similar vulnerability in Apple’s Real-Time Operating System, RTKit, which is integrated across multiple Apple devices. Like its counterpart, this flaw allows threat actors to conduct arbitrary read/write operations on the kernel by evading kernel protections. The severity assessment for this vulnerability is also pending.
In addition to these critical vulnerabilities, Apple has also addressed CVE-2024-23256 and CVE-2024-23243, concerning Accessibility and Safe Private Browsing. By enhancing input validation, Apple aims to fortify these vulnerabilities and thwart potential exploitation by threat actors. Users are strongly advised to promptly install the latest security patches and updates to bolster their device’s defenses against cyber threats.
