Apple has released emergency security updates for iPhone and iPad to address two newly discovered vulnerabilities that Apple says have been actively exploited in the wild. The two vulnerabilities are (per Mitre.org):
CVE-2024-23225 - A memory corruption issue was addressed with improved validation. This issue is fixed in iOS 16.7.6 and iPadOS 16.7.6, iOS 17.4 and iPadOS 17.4. An attacker with arbitrary kernel read and write capability may be able to bypass kernel memory protections. Apple is aware of a report that this issue may have been exploited.
CVE-2024-23296 - A memory corruption issue was addressed with improved validation. This issue is fixed in iOS 17.4 and iPadOS 17.4. An attacker with arbitrary kernel read and write capability may be able to bypass kernel memory protections. Apple is aware of a report that this issue may have been exploited.
As you will note in the Mitre descriptions, Apple has released updates to address these issues, though full remediation requires iPhones and iPads to be running iOS/iPadOS 17.4.
This situation is yet another example of why both proper system updating and defense in depth is so critical to overall cybersecurity health. Updates provide security against known threats while defense in depth strategies and controls provide additional safeguards to defend against those threats and vulnerabilities yet to be discovered.
Comments