Apple has been forced to issue more emergency updates to fix two new zero-day vulnerabilities impacting iOS and iPadOS users.
An advisory published on Wednesday described CVE-2023-42824 as a kernel issue which could allow a local attacker to elevate their privileges. It was addressed with improved checks.
“Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.6,” the tech giant added.
The second zero-day vulnerability, CVE-2023-5217, affects the WebRTC open source communications software and could lead to a buffer overflow resulting in arbitrary code execution. It was fixed by updating the libvpx video codec library to version 1.13.1, Apple said.
Both patches are part of the iOS 17.0.3 and iPadOS 17.0.3 update and are available for iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later.
There’s no information as to who discovered the zero-day bugs, so it is unclear whether they may have been used to deliver commercial spyware.
Apple has been forced to patch a slew of zero-days in recent weeks which were discovered by Google and the non-profit Citizen Lab, which have a track record of unearthing state-sponsored threats connected to such operations.
At the end of September, Apple patched three of these, including bugs in its kernel, security framework and WebKit browser engine. They were linked to the Predator spyware from Cytrox.
At the start of the same month, it fixed two more linked to the delivery of the notorious Pegasus spyware developed by NSO Group.
This brings the total number of zero-days patched by Apple to 17 for the year so far.
Image credit: Shahid Jamil / Shutterstock.com