Apple has released security updates for older versions of the iPhone and iPad in order to patch two previously exploited zero-day vulnerabilities.
In an official statement, Apple acknowledges the report that these vulnerabilities were actively used in versions of iOS up to iOS 16.6.
The first vulnerability, identified as CVE-2023-42824, is a privilege escalation vulnerability due to a weakness in the XNU kernel. This issue has been addressed in iOS 16.7.1 and iPadOS 16.7.1.
The second vulnerability, CVE-2023-5217, is related to a buffer overflow in the encoding of the Libvpx library. It could potentially allow attackers to execute arbitrary code. While Apple has not confirmed the exploitation of this vulnerability, Google and Microsoft have previously patched similar bugs in their respective browsers.
The following devices are vulnerable to these two vulnerabilities, and Apple has released updates to address the issues:
- iPhone 8 and later models
- iPad Pro (all models), iPad Air 3 and later, 5th generation and later, iPad mini 5th generation and later
Last week, the Cybersecurity and Infrastructure Security Agency (CISA) added these security flaws to its list of known exploited vulnerabilities, urging federal agencies to protect their devices from potential attacks.
Apple has already patched 18 zero-day vulnerabilities since the beginning of this year, which have been actively exploited to target iOS, iPadOS, and MacOS.