Apple releases important update for actively exploited zero-day vulnerability

ReportMarch 6, 2024Editorial DepartmentVulnerabilities/Zero-days

Apple has released security updates to address multiple security vulnerabilities, including two that it says have been widely exploited.

The disadvantages are as follows:

• CVE-2024-23225 – A memory corruption issue in the core that could allow an attacker with arbitrary core read and write capabilities to bypass core memory protections

• CVE-2024-23296 – A memory corruption issue exists in the RTKit Real-Time Operating System (RTOS) that could allow an attacker with arbitrary core read and write capabilities to bypass core memory protections.

It’s unclear how these flaws could be weaponized in the wild. Apple said both vulnerabilities have been addressed through improved verification in iOS 17.4, iPadOS 17.4, iOS 16.7.6 and iPadOS 16.7.6.

These updates are available for the following devices –

• iOS 16.7.6 and iPadOS 16.7.6 – iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation

• iOS 17.4 and iPadOS 17.4 – iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later models, iPad 6th generation and later, and iPad mini 5th generation and later

According to the latest developments, Apple has resolved a total of three actively exploited zero-day vulnerabilities in its software since the beginning of this year. In late January 2024, it fixed a type confusion flaw (CVE-2024-23222) in WebKit, affecting iOS, iPadOS, macOS, tvOS and Safari web browsers, which could lead to arbitrary code execution.

The development comes as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two flaws to its Catalog of Known Exploitable Vulnerabilities (KEVs), urging federal agencies to apply the necessary updates by March 26, 2024.

The vulnerabilities involve an information disclosure flaw affecting Android Pixel devices (CVE-2023-21237) and an operating system command injection flaw in Sunhillo SureLine that could lead to code execution with root privileges (CVE-2021-36380).

Google admitted in an announcement in June 2023 that it had found indications that “CVE-2023-21237 may be subject to limited, targeted exploitation.” As for CVE-2021-36380, Fortinet revealed late last year that a Mirai botnet named IZ1H9 was exploiting the flaw to include vulnerable devices in a DDoS botnet.

Did you find this article interesting?follow us Twitter  and LinkedIn to read more exclusive content from us.

//platform.twitter.com/widgets.js

Source link

from Tech Empire Solutions https://techempiresolutions.com/apple-releases-important-update-for-actively-exploited-zero-day-vulnerability/
via https://techempiresolutions.com/

from Tech Empire Solutions https://techempiresolutions.wordpress.com/2024/03/06/apple-releases-important-update-for-actively-exploited-zero-day-vulnerability/
via https://techempiresolutions.com/

from Mary Ashley https://maryashle.wordpress.com/2024/03/06/apple-releases-important-update-for-actively-exploited-zero-day-vulnerability/
via https://techempiresolutions.com/