Sign Up
All SecurityCyber-crimePatchesResearchCSO
All Off-PremEdge + IoTChannelPaaS + IaaSSaaS
All On-PremSystemsStorageNetworksHPCPersonal TechCxOPublic Sector
All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization
All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us

Security

Patches

Another security update, Apple? You're really keeping up with your tech rivals

Zero day? More like every day, amirite?

Richard Speed Thu 5 Oct 2023  //  18:16 UTC

Apple has demonstrated that it can more than hold its own among the tech giants, at least in terms of finding itself on the wrong end of zero-day vulnerabilities.

iOS and iPadOS have again come under attack, and Apple has rushed out a fix to ward off miscreants.

The latest issues are CVE-2023-42824 and CVE-2023-5217. The latter is a week old and refers to a heap buffer overflow in the VP8 compression format in libvpx. Apple noted that the overflow could result in arbitrary code execution and fixed it by updating to libvpx 1.13.1.

The former, however, is a little more mysterious at this stage. It permits a local attacker to elevate their privileges, and Apple said it might have been actively exploited against versions of iOS before iOS 16.6.

The fix is in the kernel, and, according to Apple: "The issue was addressed with improved checks."

Devices for which the fix – in iOS 17.0.3 and iPadOS 17.0.3 – is available include iPhones from the XS and on, the 6th generation of the iPad and later models, and the iPad Mini from the 5th generation. Apple's description of the update can be found here. The company dropped support for older models in iOS 17.

Apple devices have come under increasing scrutiny from attackers in recent years. The company was forced to hurry out patches in the last few weeks to deal with vulnerabilities in its software, which included a privilege elevation exploit in the kernel – CVE-2023-41992.

It is not clear if CVE-2023-41992 and the latest CVE-2023-42824 are connected. Both are related to kernel privilege elevation. CVE-2023-41992 was part of a trio of security holes exploited by the Predator spyware sold by Intellexa to infect the iPhones of victims.

In the case of the Predator spyware, the suggestion was that users should update their devices immediately. Users likely to find themselves targeted should also consider enabling Lockdown Mode to ward off attackers. ®
Send us news
3 Comments

Goldman sacked: Apple 'wants out' of credit card collab

Don't be too shocked: Financial giant has been fleeing normie banking lately after failing to find footing

The 15-inch MacBook Air just nails it

Vast battery life, zippy performance, and rich speakers make an impressive package

Five Eyes nations warn Moscow's mates at the Star Blizzard gang have new phishing targets

The Russians are coming! Err, they've already infiltrated UK, US inboxes

US senator claims Google and Apple reveal push notification data to foreign govs

Cupertino promises to reveal its data deliveries, ending silence on the matter

Steve Jobs' $4.01 RadioShack check set to fetch small fortune at auction

Talk about inflation – bids are now closing in on $30K

Apple and some Linux distros are open to Bluetooth attack

Issue has been around since at least 2012

Dump C++ and in Rust you should trust, Five Eyes agencies urge

Memory safety vulnerabilities need to be crushed with better code

Ex-school IT admin binned student, staff accounts and trashed phone system

After getting the tintack, IRL BOFH went rogue

Weak session keys let snoops take a byte out of your Bluetooth traffic

BLUFFS spying flaw present in iPhones, ThinkPad, plenty of chipsets

Apple slaps patch on WebKit holes in iPhones and Macs amid fears of active attacks

Two CVEs can be abused to steal sensitive info or execute code

Cisco intros AI to find firewall flaws, warns this sort of thing can't be free

Predicts cyber crims will find binary brainboxes harder to battle

2.5M patients infected with data loss in Norton Healthcare ransomware outbreak

AlphV lays claims to the intrusion