Apple has released emergency security updates to patch two zero-day vulnerabilities that were actively exploited in attacks targeting iPhone and iPad users.
The first zero-day tracked as CVE-2023-42824 is a kernel vulnerability that allows local attackers to escalate privileges on unpatched devices. With this flaw an attackers could gain full control over a victim’s device, even if the user has not installed any malicious apps.
The second zero-day tracked as CVE-2023-5217 is a vulnerability in the VP8 video codec library that could allow arbitrary code execution. Attackers could execute any code they want on a victim’s device, potentially leading to data theft, malware infection, or even device takeover. The libvpx bug isn’t an Apple-exclusive concern.
Before Apple’s acknowledgment, both Google and Microsoft had already addressed the issue in their respective Chrome and Edge browsers, along with Teams and Skype products. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.6.
Apple has urged all users to update their devices to the latest versions of iOS and iPadOS as soon as possible. The affected devices include:
- iPhone XS and later
- iPad Pro 12.9-inch 2nd generation and later
- iPad Pro 10.5-inch
- iPad Pro 11-inch 1st generation and later
- iPad Air 3rd generation and later
- iPad 6th generation and later
- iPad mini 5th generation and later