Apple discloses 2 iOS zero-day vulnerabilities
CVE-2024-23225 and CVE-2024-23296, which bypass kernel memory protections, mark the second and third zero-day vulnerabilities that Apple has disclosed and patched this year.
Apple on Tuesday disclosed two iOS vulnerabilities that it said "may have been exploited."
As part of the latest security update for iOS 17.4 and iPadOS 17.4, Apple disclosed and released patches for two zero-day flaws: CVE-2024-23225 and CVE-2024-23296. CVE-2024-23225 is a "memory corruption issue" affecting the kernel; Apple said "an attacker with arbitrary kernel read and write capability may be able to bypass kernel memory protections." CVE-2024-23296 has an identical description, though it is specific to RTKit, an operating system contained in most Apple chips, peripherals and embedded devices.
Both flaws affect the following devices:
- iPhone XS and later.
- iPad Pro 12.9-inch 2nd generation and later.
- iPad Pro 10.5-inch.
- iPad Pro 11-inch 1st generation and later.
- iPad Air 3rd generation and later.
- iPad 6th generation and later.
- iPad mini 5th generation and later.
Apple did not provide further details in the disclosure or credit specific researchers in the security advisory. Apple only noted in both cases that the vulnerabilities "may have been exploited" in the wild and that both issues were addressed via "improved validation." Neither vulnerability has been designated a CVSS score at press time.
In a post to X, formerly known as Twitter, Kaspersky noted that the flaws' capability to bypass kernel memory protections "appears to be a direct path to privilege escalation." The antivirus vendor also said the lack of credited researchers "may suggest an ongoing investigation." Kaspersky recommended that all iOS users update as soon as possible.
A spokesperson for Apple declined to comment.
CVE-2024-23225 and CVE-2024-23296 mark the second and third zero-days Apple has addressed this year. The first came in January: CVE-2024-23222, which Apple addressed in a similar update. CVE-2024-23222 is a type confusion issue in WebKit that Apple described by saying that "Processing maliciously crafted web content may lead to arbitrary code execution."
Apple has disclosed a litany of zero-day flaws in recent years, many of which have been connected to exploits used by the commercial spyware industry. For example, the company disclosed three vulnerabilities on Sept. 21 that affected iOS and iPadOS. Bill Marczak, a researcher at Citizen Lab, and Maddie Stone, a security researcher in Google's Threat Analysis Group, were credited with the discovery of all three zero-day flaws. The day after the disclosure, Citizen Lab researchers published a blog post that connected the vulnerabilities to an exploit chain used to deliver Cytrox's Predator spyware.
Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.