On Wednesday, Apple released security updates to fix a fresh zero-day vulnerability in iOS and iPadOS that the company claimed was already being actively exploited in the wild.
The kernel vulnerability, identified as CVE-2023-42824, could be exploited by a local attacker to gain elevated privileges. The iPhone manufacturer claimed that better checks were used to address the issue.
In a brief advisory, Apple stated, "Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.6."
Even while more information about the attacks' nature and the threat actors who carried them out is still unclear, successful exploitation most certainly requires an attacker to have already established a foothold through some other method.
Apple's most recent patch also fixes CVE-2023-5217, a WebRTC component vulnerability that Google last week defined as a heap-based buffer overflow in the VP8 compression codec in libvpx.
For the following devices, the updates, iOS 17.0.3 and iPadOS 17.0.3, are available:
iPhone XS and later.
The iPad Pro 12.9-inch and later models, the iPad Pro 10.5-inch and later models, the iPad Pro 11-inch and later models, the iPad Air 3rd generation and later models, the iPad 6th generation and later models, and the iPad mini 5th generation and later models. Since the beginning of the year, Apple has fixed a total of 17 actively exploited zero-days in its software.
It also arrives two weeks after Cupertino released patches to address three issues (CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993), all of which are alleged to have been used by an Israeli spyware company named Cytrox to infect an iPhone belonging to a former Egyptian lawmaker named Ahmed Eltantawy with the Predator malware earlier this year.
It's worth mentioning that CVE-2023-41992 also relates to a flaw in the kernel that allows local attackers to gain privilege escalation.
It is unclear whether the two problems are related, and whether CVE-2023-42824 is a patch bypass for CVE-2023-41992.
In a recent investigation, Sekoia stated that it discovered infrastructural similarities between customers of Cytrox (aka Lycantrox) and another commercial spyware company called Candiru (aka Karkadann) in December 2021, most likely owing to the use of both spyware technologies.
"The infrastructure used by Lycantrox consists of VPS hosted in several autonomous systems," the French cybersecurity firm explained, adding that each customer appears to run their own instances of VPS and administer their own domain names associated with it.
Tip: Users who are at danger of being targeted should enable Lockdown Mode to decrease their vulnerability to mercenary spyware attacks.
