Apple Releases iOS/iPadOS Updates with Zero Day Fixes.
Apple today released iOS 17.4 as well as iOS 16.7.6 (and the respective iPadOS versions). These updates fix a total of four vulnerabilities. Two of the vulnerabilities are already being exploited. CVE-2024-23225 is a privilege escalation issue and only affects iOS 17 as well as iOS 16. The second already exploited vulnerability, CVE-2024-23296, only affects iOS 17.
We rated the exploited vulnerabilities as "important", not "critical". They appear to only allow for privilege escalation.
iOS 17.4 and iPadOS 17.4 | iOS 16.7.6 and iPadOS 16.7.6 |
---|---|
CVE-2024-23243 [important] Accessibility A privacy issue was addressed with improved private data redaction for log entries. An app may be able to read sensitive location information |
|
x | |
CVE-2024-23225 [moderate] *** EXPLOITED *** Kernel A memory corruption issue was addressed with improved validation. An attacker with arbitrary kernel read and write capability may be able to bypass kernel memory protections. Apple is aware of a report that this issue may have been exploited. |
|
x | x |
CVE-2024-23296 [moderate] *** EXPLOITED *** RTKit A memory corruption issue was addressed with improved validation. An attacker with arbitrary kernel read and write capability may be able to bypass kernel memory protections. Apple is aware of a report that this issue may have been exploited. |
|
x | |
CVE-2024-23256 [moderate] Safari Private Browsing A logic issue was addressed with improved state management. A user's locked tabs may be briefly visible while switching tab groups when Locked Private Browsing is enabled |
|
x |
---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|
My next class:
Application Security: Securing Web Apps, APIs, and Microservices | Washington | Dec 13th - Dec 18th 2024 |
×
Diary Archives
Comments