HomeCyber BalkansApple reveals 2 iOS zero-day vulnerabilities

Apple reveals 2 iOS zero-day vulnerabilities

Published on

spot_img

Apple announced on Tuesday the discovery of two iOS vulnerabilities that it believes may have been exploited. The tech giant released security updates for iOS 17.4 and iPadOS 17.4 to address the zero-day flaws known as CVE-2024-23225 and CVE-2024-23296. CVE-2024-23225 is described as a memory corruption issue affecting the kernel, potentially allowing attackers with arbitrary kernel read and write capabilities to bypass memory protections. On the other hand, CVE-2024-23296, although similar in description, is specific to RTKit, an operating system found in Apple chips, peripherals, and embedded devices.

The affected devices include the iPhone XS and later models, iPad Pro 12.9-inch 2nd generation and newer, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and beyond, as well as the iPad 6th generation and later, and iPad mini 5th generation and later.

Apple did not provide specific details or credit any researchers in their security advisory, but they did mention that both vulnerabilities may have been exploited in the wild. The company addressed these issues through “improved validation” but did not assign a CVSS score to the vulnerabilities at the time of the announcement.

Kaspersky, a well-known cybersecurity company, highlighted the concerning capability of these flaws to bypass kernel memory protections, potentially leading to privilege escalation. They also noted the absence of credited researchers, indicating a possible ongoing investigation. Kaspersky urged all iOS users to update their devices promptly to protect themselves from potential risks.

When approached for comments, an Apple spokesperson declined to provide any additional information.

These recent vulnerabilities, CVE-2024-23225 and CVE-2024-23296, mark the second and third zero-day flaws that Apple has addressed in 2024. The first zero-day, CVE-2024-23222, was resolved in January through a similar update. This particular flaw involved a type confusion issue in WebKit, where processing malicious web content could result in arbitrary code execution.

Apple has been forthcoming about disclosing zero-day vulnerabilities in recent years, with many of them linked to exploits utilized by the commercial spyware industry. In September of the same year, the company disclosed three vulnerabilities that impacted iOS and iPadOS. Researchers Bill Marczak from Citizen Lab and Maddie Stone from Google’s Threat Analysis Group were credited with discovering these zero-day flaws. Following the disclosure, Citizen Lab researchers published a blog post connecting the vulnerabilities to an exploit chain used to deliver Cytrox’s Predator spyware.

The continuous discovery and remediation of these vulnerabilities underscore the importance of ongoing vigilance in cybersecurity efforts. Users are advised to stay updated with the latest security patches and take necessary precautions to safeguard their data and devices from potential threats.

As the cybersecurity landscape evolves, industry experts continue to collaborate and innovate to address emerging challenges and protect digital ecosystems against malicious actors and cyber threats.

Source link

Latest articles

Attackers Abuse Google Ad Feature to Target Slack, Notion Users

 Attackers are once again abusing Google Ads to target people with info-stealing malware, this time...

Hackers allege to have infiltrated computer network of Israeli nuclear facility

An Iran-linked hacking group has declared that they successfully breached the computer network of...

Hacker allegedly uses white-hat approach to exploit crypto game for $4.6M

In a surprising turn of events, the food-themed crypto game Super Sushi Samurai fell...

Reducing Threats from the IABs Market

As ransomware attacks continue to escalate in frequency and severity, one of the key...

More like this

Attackers Abuse Google Ad Feature to Target Slack, Notion Users

 Attackers are once again abusing Google Ads to target people with info-stealing malware, this time...

Hackers allege to have infiltrated computer network of Israeli nuclear facility

An Iran-linked hacking group has declared that they successfully breached the computer network of...

Hacker allegedly uses white-hat approach to exploit crypto game for $4.6M

In a surprising turn of events, the food-themed crypto game Super Sushi Samurai fell...
en_USEnglish