Apple fixes two new iOS zero-days exploited in attacks on iPhones


Apple released emergency security updates to fix two iOS zero-day vulnerabilities that were exploited in attacks on iPhones.

“Apple is aware of a report that this issue may have been exploited,” the company said in an advisory issued on Tuesday.

The two bugs were found in the iOS Kernel (CVE-2024-23225) and RTKit (CVE-2024-23296), both allowing attackers with arbitrary kernel read and write capabilities to bypass kernel memory protections.

The company says it addressed the security flaws for devices running iOS 17.4iPadOS 17.4iOS 16.76, and iPad 16.7.6 with improved input validation.

The list of impacted Apple devices is quite extensive, and it includes:

  • iPhone XS and later, iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation
  • iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later

Apple has not shared who disclosed both zero-days or if they were discovered internally.

Read more…