Vulnerability Management, Managed Security Services, Endpoint/Device Security

Zero Day Flaw: Apple Issues Critical iOS Security Updates

Apple iPhone 15 phones are seen in this illustration photo taken at the store in Krakow, Poland on February 21, 2024. (Photo by Jakub Porzycki/NurPhoto via Getty Images)
.

Apple has released a series of critical security updates to fix several security flaws, two of which are new zero-day security vulnerabilities possibly exploited in the wild.

In an advisory issued on March 5, Apple said that it is “aware of a report that this issue may have been exploited."

At this point, it’s not clear how the flaws are being exploited in the wild, particularly for ransomware attacks.

The updates concern managed security service providers (MSSPs) and managed service providers (MSPs) that manage iPhone and iPad endpoints in business settings.

Apple iOS Critical Vulnerabilities

The vulnerabilities are as follows:

  • CVE-2024-23225. A memory corruption issue in Kernel that an attacker with arbitrary kernel read and write capability can exploit to bypass kernel memory protections.
  • CVE-2024-23296. A memory corruption issue in the RTKit real-time operating system (RTOS) that an attacker with arbitrary kernel read and write capability can exploit to bypass kernel memory protections.

Apple said both bugs were addressed “with improved validation” in iOS 17.4, iPadOS 17.4, iOS 16.7.6, and iPadOS 16.7.6.

The cybersecurity updates concern the following devices:

  • iOS 16.7.6 and iPadOS 16.7.6. iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation.
  • iOS 17.4 and iPadOS 17.4. iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later.

“An attacker with arbitrary kernel read and write capability may be able to bypass kernel memory protections,” for the vulnerable devices, Apple said.

CISA Action

The Cybersecurity and Infrastructure Security Agency (CISA) has added both flaws to its Known Exploited Vulnerabilities (KEV) catalog, in which it asked federal agencies to install updates by March 27, 2024.

CISA is also advising users to apply mitigations as instructed by Apple or discontinue using the product if mitigations are unavailable.

Related