Apple moves on kernel bug

7 months ago AndyC

Apple has rushed out an emergency patch for a vulnerability it says may have been exploited.

Apple moves on kernel bug

Apple has rushed out an emergency patch for a vulnerability it says may have been exploited.




Apple moves on kernel bug










In its typically tight-lipped advisory, Apple did not detail the nature of the vulnerability, which is designated CVE-2023-42824.

It says only that the issue affects “iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later”.

It’s a local privilege escalation vulnerability in the kernel, which “may have been actively exploited against versions of iOS before iOS 16.6.”

The emergency patch also includes mitigation of a second vulnerability, CVE-2023-5217.

This vulnerability is a bug in the libvpx video codec library from Google and the Alliance for Open Media.

It’s a heap buffer overflow and according to Mozilla, was first reported by Clément Lecigne of Google’s Threat Analysis Group.

“Specific handling of an attacker-controlled VP8 media stream could lead to a heap buffer overflow in the content process,” resulting in remote code execution, Mozilla’s advisory stated.

Mozilla said it was aware of the issue being exploited “in other products in the wild”.

Apple’s advisory said the issue was addressed by updating to libvpx 1.13.1.



About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , ,

More Stories

ACSC Issues Cisco ASA Device Alert

ACSC Issues Cisco ASA Device Alert

2 days ago AndyC
Australian businesses fast-track Microsoft cloud adoption amid cyber threats

Australian businesses fast-track Microsoft cloud adoption amid cyber threats

2 days ago AndyC
Zscaler introduces enhanced ZDX service for improved IT operations

Zscaler introduces enhanced ZDX service for improved IT operations

2 days ago AndyC
Exclusive: How Darktrace is tackling AI-driven cybersecurity

Exclusive: How Darktrace is tackling AI-driven cybersecurity

2 days ago AndyC
Record ransomware attacks in March 2024, report finds

Record ransomware attacks in March 2024, report finds

2 days ago AndyC
<div>Smarttech247 & SentinelOne launch AI-powered cybersecurity for SMEs</div>

Smarttech247 & SentinelOne launch AI-powered cybersecurity for SMEs

2 days ago AndyC

You may have missed

Hackers may have accessed thousands of accounts on California state welfare platform

Hackers may have accessed thousands of accounts on California state welfare platform

11 hours ago AndyC

Major phishing-as-a-service platform disrupted – Week in security with Tony Anscombe

14 hours ago AndyC
Brokewell supports an extensive set of Device Takeover capabilities

Brokewell supports an extensive set of Device Takeover capabilities

17 hours ago AndyC
Ukraine Targeted in Cyberattack Exploiting 7-Year-Old Microsoft Office Flaw

Ukraine Targeted in Cyberattack Exploiting 7-Year-Old Microsoft Office Flaw

17 hours ago AndyC
Bogus npm Packages Used to Trick Software Developers into Installing Malware

Bogus npm Packages Used to Trick Software Developers into Installing Malware

23 hours ago AndyC

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.