In an urgent security advisory, Apple has released critical software updates to address multiple vulnerabilities in its operating systems, including two zero-day flaws that are being actively exploited by threat actors. The tech giant is urging all users to install the patches immediately to mitigate the risks posed by these vulnerabilities.
The two zero-day vulnerabilities tracked as CVE-2024-23225 and CVE-2024-23296, are memory corruption issues that reside in the kernel and the RTKit real-time operating system (RTOS) components, respectively.
According to Apple's advisory, an attacker with arbitrary kernel read and write capabilities could leverage these flaws to bypass kernel memory protections, potentially leading to system compromise.
An attacker with arbitrary kernel read and write capability may be able to bypass kernel memory protections. Apple is aware of a report that this issue may have been exploited. -Apple wrote in advisory
While Apple has not provided specific details on how these vulnerabilities are being weaponized in the wild, the company acknowledged that they are under active exploitation, signalling the urgency of the situation. The tech behemoth has implemented improved validation measures to address these vulnerabilities in iOS 17.4, iPadOS 17.4, iOS 16.7.6, and iPadOS 16.7.6.
The updates are available for a wide range of devices, including the iPhone 8 and later models, various iPad generations, and the iPad Pro lineup.
Users are strongly advised to update their devices to the latest software versions as soon as possible to protect themselves from potential attacks leveraging these zero-day flaws.
This latest development follows Apple's efforts earlier this year to address another actively exploited zero-day vulnerability, CVE-2024-23222, which affected WebKit, the browser engine powering Safari and other system components. The flaw, a type confusion issue, could have led to arbitrary code execution on affected devices.
Apart from security updates, Apple has also pushed updates for users in the European Union. The update message reads -
— Cyber Kendra (@cyberkendra) March 5, 2024
The disclosure of these actively exploited vulnerabilities underscores the ever-evolving cybersecurity landscape and the relentless efforts of threat actors to find and exploit software flaws for malicious purposes. It also highlights the importance of timely patching and security updates from software vendors to protect users from potential compromises.