Apple has taken swift action to address two zero-day vulnerabilities that have been actively exploited in attacks targeting iPhones. In response to these security concerns, the company issued emergency security updates.
In a statement released on Tuesday, Apple acknowledged the existence of the vulnerabilities and their exploitation. The two bugs, identified in the iOS Kernel (CVE-2024-23225) and RTKit (CVE-2024-23296), granted attackers the ability to bypass kernel memory protections, potentially enabling them to execute arbitrary code with kernel-level privileges.
To mitigate these risks, Apple has rolled out security patches for devices running iOS 17.4, iPadOS 17.4, iOS 16.76, and iPad 16.7.6. These updates include enhancements to input validation, aimed at fortifying the affected systems against potential attacks.
The impact of these vulnerabilities spans a wide range of Apple devices, including iPhones XS and later, iPhone 8, iPhone 8 Plus, iPhone X, various iPad models, and more.
As of now, Apple has not disclosed the source of the zero-day vulnerabilities nor confirmed whether they were identified internally or reported externally.
While there is no indication of widespread exploitation in the wild, it's worth noting that zero-day vulnerabilities in iOS are frequently exploited in targeted attacks, particularly against individuals at high risk, such as journalists, political figures, and activists.
Given the potential severity of these vulnerabilities, Apple urges users to apply the latest security updates promptly to safeguard their devices against potential exploitation.
This marks the third set of zero-day vulnerabilities addressed by Apple in 2024, following a similar action in January. In 2023, the company faced numerous zero-day vulnerabilities, totaling 20, which were exploited in the wild. These vulnerabilities were systematically addressed through a series of security updates throughout the year, underscoring Apple's commitment to protecting its users from evolving threats.