Black Arrow Cyber Advisory 05 October 2023 – Apple Release Emergency Patch for Two Zero-day Vulnerabilities, Taking Total to 17 Zero-days So Far in 2023
Executive Summary
Apple have released emergency updates to patch two zero-day vulnerabilities, including one actively exploited vulnerability, which target iPhone and iPad devices. The vulnerabilities allow an attacker to escalate privileges and perform remote code execution.
What’s the risk to me or my business?
Exploitation allows an attacker to elevate their privileges to the highest available and perform code execution. This allows attackers to perform actions such as extracting messages, photos, emails, and recording calls, impacting the confidentiality, integrity and availability of data.
Patches are available for:
iPhone XS and later
iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later
Technical Summary:
CVE-2023-42824- A kernel vulnerability allowing local attackers to escalate privileges on vulnerable iPhones and iPads. This vulnerability has been exploited against versions of iOS before 16.6.
CVE-2023-5217 – A heap buffer overflow weakness in libvpx which could allow code execution.
What can I do?
Users are recommended the apply the patches immediately, due to the active exploitation in the wild. Organisations should also be aware that the patches mean employees using Apple BYOD devices will need to apply the relevant patches, as this impacts corporate information which the devices have access to.
Further information can be found below: