CVE-2023-42824 & CVE-2023-5217: Two Zero-Day Vulnerabilities in Apple Ecosystem
The first zero-day (CVE-2023-42824) is a kernel vulnerability that allows local attackers to escalate privileges on unpatched devices. This means that attackers could gain full control over a victim’s device, even if the user has not installed any malicious apps.
2. The Libvpx Video Codec Weakness: CVE-2023-5217
The second zero-day (CVE-2023-5217) is a vulnerability in the VP8 video codec library that could allow arbitrary code execution. This means that attackers could execute any code they want on a victim’s device, potentially leading to data theft, malware infection, or even device takeover. The libvpx bug isn’t an Apple-exclusive concern. Before Apple’s acknowledgment, both Google and Microsoft had already addressed the issue in their respective Chrome and Edge browsers, along with Teams and Skype products. Hats off to Clément Lecigne, a security researcher from Google’s Threat Analysis Group (TAG). TAG, renowned for unearthing zero-days used in state-sponsored spyware attacks, adds another feather to its cap with this discovery.
“Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.6,” the company said in an advisory.
A zero-day vulnerability is a security vulnerability that is unknown to the software vendor. This means that there is no patch available to fix the vulnerability, and attackers can exploit it to gain access to systems or data.
Zero-day vulnerabilities are often used in targeted attacks against high-value targets, such as government agencies and businesses. However, they can also be used in more widespread attacks, such as the recent attacks against iPhone and iPad users.
Apple has urged all users to update their devices to the latest versions of iOS and iPadOS as soon as possible. The affected devices include:
- iPhone XS and later
- iPad Pro 12.9-inch 2nd generation and later
- iPad Pro 10.5-inch
- iPad Pro 11-inch 1st generation and later
- iPad Air 3rd generation and later
- iPad 6th generation and later
- iPad mini 5th generation and later
If you are using an affected device, you should update to the latest version of iOS or iPadOS as soon as possible. You can do this by going to Settings > General > Software Update.