Apple has released an emergency update [2] [5] [10], iOS 17.0.3 [1] [2] [3] [4] [5] [6] [10], to address two vulnerabilities [2] [3] [5] [6] [9]. This update aims to enhance the security of affected devices and protect users from potential exploitation.

Description

The first vulnerability [2] [3] [5] [6] [7] [8] [9] [10], CVE-2023-42824 [1] [2] [3] [5] [6] [7] [8] [9] [10], allows local attackers to escalate privileges on unpatched devices [7], potentially gaining full control over a victim’s device [7]. Although no publicly available exploit for this vulnerability has been found [3], Apple acknowledges that it may have been actively exploited in earlier versions of iOS [4] [6], specifically versions before iOS 16.6. To address this issue, Apple has implemented improved checks [1]. The affected devices include iPhone XS and later models [3] [6] [7], iPad Pro 12.9-inch 2nd generation and later models [6] [8], iPad Pro 10.5-inch [6] [8], iPad Pro 11-inch 1st generation and later models [6] [8], iPad Air 3rd generation and later models [6] [8], iPad 6th generation and later models [6] [8], and iPad mini 5th generation and later models [6] [8]. Users are strongly advised to upgrade to iOS 17.0.3 to prevent potential exploitation.

The second vulnerability [2] [5] [7] [9], CVE-2023-5217 [1] [2] [3] [5] [6] [7] [8] [9] [10], resides in the VP8 video codec library and could allow arbitrary code execution [7], granting attackers the ability to execute any code on a victim’s device [7]. This vulnerability has affected several Chromium-based browsers [3], including Google Chrome [3], Mozilla Firefox [3], and Microsoft Edge [3] [7]. Apple has resolved this issue by updating to libvpx 1.13.1 [6]. The affected devices are the same as those for CVE-2023-42824 [3]. Users are recommended to upgrade to specific versions of these browsers to fix the vulnerability [3].

Conclusion

These vulnerabilities have been addressed in the iOS 17.0.3 and iPadOS 17.0.3 updates. While the nature of the attacks and the identity of the threat actors remain unknown [1], successful exploitation of these vulnerabilities likely requires the attacker to have already gained initial access through other means [1]. To ensure the utmost security, Apple urges all users to update their devices to the latest versions of iOS and iPadOS [7]. Users can easily update their devices by navigating to Settings > General > Software Update [7]. By taking these necessary precautions, users can mitigate the risks associated with these vulnerabilities and safeguard their devices and personal information.

References

[1] https://thehackernews.com/2023/10/apple-rolls-out-security-patches-for.html
[2] https://digital.nhs.uk/cyber-alerts/2023/cc-4389
[3] https://cybersecuritynews.com/apple-emergency-zero-day-update/
[4] https://nvd.nist.gov/vuln/detail/CVE-2023-42824
[5] https://www.malwarebytes.com/blog/news/2023/10/update-now-apple-patches-vulnerabilities-on-iphone-and-ipad
[6] https://www.helpnetsecurity.com/2023/10/05/cve-2023-42824/
[7] https://securityonline.info/cve-2023-42824-cve-2023-5217-two-zero-day-vulnerabilities-in-apple-ecosystem/
[8] https://support.apple.com/en-asia/HT213961
[9] https://arstechnica.com/gadgets/2023/10/apple-releases-ios-17-0-3-update-to-help-fix-iphone-15-pro-overheating/
[10] https://www.forbes.com/sites/kateoflahertyuk/2023/10/05/ios-1703-update-now-warning-issued-to-all-iphone-users/