Apple, the tech behemoth, has recently unveiled a set of critical security enhancements to address a range of security loopholes. More specifically, two of these vulnerabilities, identified as CVE-2024-23225 and CVE-2024-23296, have been reported to be actively exploited in the wild.
Overview of the Identified Vulnerabilities CVE-2024-23225
CVE-2024-23225: This is a memory corruption issue in the kernel that can be leveraged by an attacker with unrestricted kernel read and write access to bypass kernel memory safeguards.
CVE-2024-23296: This vulnerability is a memory corruption issue in the RTKit real-time operating system (RTOS). Similar to the previous flaw, an attacker with unrestricted kernel read and write access can exploit this flaw to circumvent kernel memory protections.
List of Devices Eligible for the Updates
The security updates are available for the following devices:
iOS 16.7.6 and iPadOS 16.7.6 are compatible with iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation.
iOS 17.4 and iPadOS 17.4 can be installed on devices like iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later.
Exploitation Details
At present, the exact method of weaponizing these flaws in real-world attacks remains unclear. However, Apple has mentioned that both vulnerabilities have been rectified with improved validation in iOS 17.4, iPadOS 17.4, iOS 16.7.6, and iPadOS 16.7.6.
Zero-Day Exploitations in Apple Software
Since the onset of the year, Apple has addressed a total of three actively exploited zero-days in its software. Previously, in late January 2024, it remedied a type of confusion flaw in WebKit (CVE-2024-23222) which impacted iOS, iPadOS, macOS, tvOS, and Safari web browsers, potentially leading to arbitrary code execution.
U.S. Cybersecurity and Infrastructure Security Agency (CISA) Advisory
Simultaneously, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two flaws to its Known Exploited Vulnerabilities (KEV) catalog. Federal agencies have been urged to apply necessary updates by March 26, 2024.
The vulnerabilities include:
An information disclosure flaw affecting Android Pixel devices (CVE-2023-21237)
An operating system command injection flaw in Sunhillo SureLine, potentially leading to code execution with root privileges (CVE-2021-36380).
A Note on Previous Exploitations
In an advisory published in June 2023, Google acknowledged indications that “CVE-2023-21237 may be under limited, targeted exploitation.” Additionally, Fortinet revealed late last year that a Mirai botnet named IZ1H9 was leveraging the CVE-2021-36380 flaw to incorporate susceptible devices into a DDoS botnet.
In January 2024, Apple resolved a type confusion flaw in WebKit (CVE-2024-23222) that could potentially result in arbitrary code execution affecting iOS, iPadOS, macOS, tvOS, and the Safari web browser.
In a concurrent development, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two flaws to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to apply necessary updates by March 26, 2024.
The vulnerabilities concern an information disclosure flaw affecting Android Pixel devices (CVE-2023-21237) and an operating system command injection flaw in Sunhillo SureLine that could result in code execution with root privileges (CVE-2021-36380).
Addressing Cybersecurity Concerns with Meta Techs
Meta Techs, a leading cybersecurity consulting firm in Dubai, offers a range of services to help businesses bolster their cybersecurity defenses. Here are some of the key services provided by Meta Techs:
Risk Assessments: Meta Techs conducts risk assessments like VAPT service to identify potential vulnerabilities and evaluate the effectiveness of existing security measures. They provide detailed reports and recommendations to help businesses prioritize and address these risks.
Incident Response Planning: Meta Techs assists businesses in developing robust incident response plans to minimize the impact of cyber attacks. They work closely with organizations to define roles and responsibilities, establish communication protocols, and conduct regular drills to ensure preparedness.
Security Awareness Training: Meta Techs understands that employees play a crucial role in maintaining a secure environment. They offer security awareness training programs to educate employees about cyber threats, best practices, and the importance of maintaining good security hygiene.
Conclusion
Cyber threats are continually evolving, and it is critical for businesses to keep their systems updated with the latest security patches. With the deployment of these critical updates, Apple is taking proactive measures to ensure the security of its users. Alongside this, businesses can leverage the services of cybersecurity consulting firms like Meta Techs to strengthen their cybersecurity posture and protect their digital assets.