Apple's security updates tackle two new iOS zero-days

Apple has released emergency security updates to fix two new iOS vulnerabilities actively used to attack iPhone users. The company has released emergency security updates to fix two iOS system vulnerabilities, labeled CVE-2024-23225 and CVE-2024-23296 respectively, that have been used to attack iPhone devices.

The CVE-2024-23225 vulnerability is a kernel memory corruption flaw that has been addressed with improved validation. "An attacker with arbitrary read and write capabilities in the kernel can overcome kernel memory protections. Apple is aware of a report that this issue could be exploited in an attack," the news release said.

The CVE-2024-23296 vulnerability is an RTKit memory corruption flaw that has been addressed with improved validation.

Apple confirmed active exploitation of both vulnerabilities. "Apple is aware of a report that this issue could be exploited in an attack," the company said in a statement.

The affected devices are the iPhone XS and subsequent models, iPad Pro 12.9-inch 2nd generation and subsequent models, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and subsequent models, iPad Air 3rd generation and subsequent models, iPad 6th generation and subsequent models, and iPad mini 5th generation and subsequent models.

The IT giant addressed the two vulnerabilities with the release of iOS 17.4, iPadOS 17.4, iOS 16.76 and iPad 16.7.6.

iPhone vulnerabilities are typically exploited by commercial spyware makers or state actors, often targeting dissidents and journalists.

Below is a list of current vulnerabilities resolved by Apple this year:

• January 2024 - CVE-2024-23222: a type mismatch issue that resides in WebKit.

Subscribe to me on Twitter: @securityaffairs and Facebook Pierluigi Paganini (SecurityAffairs - hack, zero-day).