Sign Up
All SecurityCyber-crimePatchesResearchCSO
All Off-PremEdge + IoTChannelPaaS + IaaSSaaS
All On-PremSystemsStorageNetworksHPCPersonal TechCxOPublic Sector
All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization
All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us

Security

Patches

Another security update, Apple? You're really keeping up with your tech rivals

Zero day? More like every day, amirite?

Richard Speed Thu 5 Oct 2023  //  18:16 UTC

Apple has demonstrated that it can more than hold its own among the tech giants, at least in terms of finding itself on the wrong end of zero-day vulnerabilities.

iOS and iPadOS have again come under attack, and Apple has rushed out a fix to ward off miscreants.

The latest issues are CVE-2023-42824 and CVE-2023-5217. The latter is a week old and refers to a heap buffer overflow in the VP8 compression format in libvpx. Apple noted that the overflow could result in arbitrary code execution and fixed it by updating to libvpx 1.13.1.

The former, however, is a little more mysterious at this stage. It permits a local attacker to elevate their privileges, and Apple said it might have been actively exploited against versions of iOS before iOS 16.6.

The fix is in the kernel, and, according to Apple: "The issue was addressed with improved checks."

Devices for which the fix – in iOS 17.0.3 and iPadOS 17.0.3 – is available include iPhones from the XS and on, the 6th generation of the iPad and later models, and the iPad Mini from the 5th generation. Apple's description of the update can be found here. The company dropped support for older models in iOS 17.

Apple devices have come under increasing scrutiny from attackers in recent years. The company was forced to hurry out patches in the last few weeks to deal with vulnerabilities in its software, which included a privilege elevation exploit in the kernel – CVE-2023-41992.

It is not clear if CVE-2023-41992 and the latest CVE-2023-42824 are connected. Both are related to kernel privilege elevation. CVE-2023-41992 was part of a trio of security holes exploited by the Predator spyware sold by Intellexa to infect the iPhones of victims.

In the case of the Predator spyware, the suggestion was that users should update their devices immediately. Users likely to find themselves targeted should also consider enabling Lockdown Mode to ward off attackers. ®
Send us news
3 Comments

Woman uses AirTags to nab alleged parcel-pinching scum

Phew! Consumer-grade tracking devices are good for more than finding your keys and stalking

Digital wallets can allow purchases with stolen credit cards

Researchers find it's possible to downgrade authentication checks, and shabby token refresh policies

As the Apple Watch turns 10, disabled users demand real accessibility

Forget wrist acrobatics, we need smarter wake word detection and on-device voice recognition

Under pressure from Europe, Apple makes iOS browser options bit more reasonable

Cupertino quits screwing around with defaults – for those in the EU

Microsoft hosts a security summit but no press, public allowed

CrowdStrike, other vendors, friendly govt reps…but not anyone who would tell you what happened

Apple accused of hoodwinking UK antitrust cops

Mac maker denial of Safari self-preferencing called out by OWA

Security boom is over, with over a third of CISOs reporting flat or falling budgets

Good news? Security is still getting a growing part of IT budget

Security biz Verkada to pay $3M penalty under deal that also enforces infosec upgrade

Allowed access to 150K cameras, some in sensitive spots, but has been done for spamming

White House thinks it's time to fix the insecure glue of the internet: Yup, BGP

Better late than never

Alleged Karakut ransomware scumbag charged in US

Plus: Microsoft issues workaround for dual-boot crashes; ARRL cops to ransom payment, and more

CrowdStrike's meltdown didn't dent its market dominance … yet

Total revenue for Q2 grew 32 percent

Volt Typhoon suspected of exploiting Versa SD-WAN bug since June

The same Beijing-backed cyber spy crew the feds say burrowed into US critical infrastructure