In a crucial update, Apple has patched a series of security vulnerabilities, among them two critical flaws that have reportedly been exploited by attackers. The issues, identified as CVE-2024-23225 and CVE-2024-23296, involve memory corruption within the Kernel and the RTKit real-time operating system (RTOS), respectively. These vulnerabilities could potentially allow attackers with kernel access to circumvent memory protections.
Details on the exploitation methods of these vulnerabilities remain scarce, but Apple has responded with enhanced validation measures in its latest software updates. The affected versions and the updates provided are as follows:
- For users with older devices, including iPhone 8, iPhone 8 Plus, iPhone X, and several iPad models, updates are available in iOS 16.7.6 and iPadOS 16.7.6.
- The more recent devices, starting from iPhone XS and various iPad models, will receive the security enhancements through iOS 17.4 and iPadOS 17.4.
This action by Apple marks its continued effort to secure its ecosystem, with these being the third set of actively exploited zero-days addressed since the beginning of the year. A previous significant update was the rectification of a WebKit flaw (CVE-2024-23222) that posed a risk across multiple Apple platforms, including iOS, iPadOS, macOS, tvOS, and the Safari web browser.
In parallel, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has emphasized the urgency of patching these vulnerabilities by listing them in its Known Exploited Vulnerabilities (KEV) catalog. Federal agencies have been directed to apply the updates by March 26, 2024, highlighting the critical nature of these flaws.
Additionally, CISA’s catalog update includes vulnerabilities from other vendors, such as an information disclosure issue in Android Pixel devices (CVE-2023-21237) and a command injection vulnerability in Sunhillo SureLine (CVE-2021-36380), both of which have seen active exploitation.
As cyber threats continue to evolve, these incidents underscore the importance of maintaining up-to-date systems and the proactive stance companies and agencies must take to protect their digital infrastructures.
