Apple Fixes Zero-Day Flaws Exploited by Hackers

Apple has issued critical security updates to address two zero-day vulnerabilities in iOS, which have been exploited in real-world attacks against iPhone users. The company disclosed this information on March 5th in a separate security advisory.

The vulnerabilities were identified in the iOS kernel (CVE-2024-23225) and RTKit (CVE-2024-23296), though their CVSS ratings have yet to be determined. Both vulnerabilities allow attackers with arbitrary read and write capabilities in the kernel to circumvent kernel memory protections.

Apple has remedied these flaws for devices operating on iOS 17.4, iPadOS 17.4, iOS 16.76, and iPadOS 16.7.6 by enhancing data input validation. The list of affected Apple devices includes the iPhone XS and newer models, iPhone 8, iPhone 8 Plus, iPhone X, 5th generation iPad, 9.7-inch iPad Pro, and 1st generation 12.9-inch iPad Pro, as well as later versions of these devices and other iPad and iPad mini models.

While Apple has not provided details on specific instances of these vulnerabilities being exploited “in the wild,” such vulnerabilities are often utilized in state-sponsored spyware like the Israeli NSO Group’s Pegasus. This software is typically deployed against journalists, opposition politicians, and dissidents.

It is strongly recommended to install the security updates promptly to mitigate potential risks, even considering the likelihood that these vulnerabilities were used only in targeted attacks.

This year, Apple has already addressed three zero-day vulnerabilities, the first of which was rectified in January. In the previous year, the company had fixed as many as 20 such vulnerabilities.