Apple has released emergency security updates to fix two critical iOS zero-day vulnerabilities that hackers are actively using to compromise iPhone users at the kernel level.
Second Apple security bulletin Released on March 5, the memory corruption bugs both allow threat actors with arbitrary kernel read and write capabilities to bypass kernel memory protections:
-
CVE-2024-23225: Found in iOS kernel
-
CVE-2024-23296: Found in the RTKit component
While Apple, true to form, declined to offer further details, Krishna Vishnubhotla, vice president of product strategy at mobile security vendor Zimperium, explains that flaws like these present exacerbated risks for individuals and organizations.
“The kernel on any platform is critical because it handles all operating system operations and hardware interactions,” he explains. “A vulnerability allowing arbitrary access could allow attackers to bypass security mechanisms, potentially leading to full system compromise, data breaches, and the introduction of malware.”
And not only that, kernel memory protection bypasses are a special solution Cyber attackers focused on Apple.
“Apple has strong protections in place to prevent apps from accessing data and features of other apps or the system,” says John Bambenek, president of Bambenek Consulting. “Bypassing kernel protections essentially allows an attacker to rootkit your phone so they can access everything, like your GPS, camera, microphone, and messages sent and received in clear text (e.g., Signal).”
Apple bugs: Not just for nation-state rootkitting
The number of zero-days exploited for Apple so far is three: in January the technology giant patched a Actively exploited zero-day bug in the Safari WebKit browser engine (CVE-2024-23222), a type confusion error.
It’s unclear who is exploiting this case, but iOS users have become prime targets for spyware in recent months. Last year, Kaspersky researchers discovered a number of Apple zero-day flaws (CVE-2023-46690, CVE-2023-32434, CVE-2023-32439) linked to Operation Triangulation, a sophisticated, likely state-sponsored, cyber espionage campaign that deployed TriangleDB spy implants on iOS devices at a variety of government and corporate targets. And nation-states are well known for using it zero-day to eliminate NSO Group Pegasus spyware on iOS devices, including in a recent one campaign against Jordanian civil society.
However, John Gallagher, vice president of Viakoo Labs at Viakoo, says the nature of the attackers may be more mundane and more dangerous to everyday organizations.
“iOS zero-day vulnerabilities aren’t just about state-sponsored spyware attacks, like Pegasus,” he says, adding that being able to bypass kernel memory protections while having read and write privileges is “how bad” . He notes: “Any threat actor aiming for stealth will want to exploit zero-day exploits, especially in highly used devices, such as smartphones, or in high-impact systems, such as IoT devices and applications.”
Apple users should update to the following versions to patch the vulnerabilities with better input validation: iOS 17.4, iPadOS 17.4, iOS 16.76, and iPad 16.7.6.