Apple has released critical security updates for two zero-day vulnerabilities that were actively exploited by malicious actors.
The zero-day vulnerabilities (CVE-2024-23225 and CVE-2024-23296) posed a significant risk to users of Apple devices, including iPhones, iPads, and Macs.
Apple’s description of CVE-2024-23225 states it is a memory corruption vulnerability in the iOS kernel that "allows an attacker with arbitrary kernel read and write capability to bypass kernel memory protections."
CVE-2024-23296 is also a memory corruption but specific to RTKit, the Apple's most widespread operating system contained in Apple chips, peripherals and embedded devices.
"Apple is aware of a report that this issue may have been exploited," the company said in an advisory issued on Tuesday.
The company said it has patched the security flaws for devices running iOS 17.4, iPadOS 17.4, iOS 16.76, and iPad 16.7.6 with improved input validation.
The extensive list of impacted Apple devices includes the following products:
- iPhone XS and later.
- iPad Pro 12.9-inch 2nd generation and later.
- iPad Pro 10.5-inch.
- iPad Pro 11-inch 1st generation and later.
- iPad Air 3rd generation and later.
- iPad 6th generation and later.
- iPad mini 5th generation and later.
While Apple did not reveal if the vulnerabilities were discovered internally or credit researchers in the advisory, it recommends users of the affected products to update to the latest versions immediately. Currently, neither of the vulnerabilities has been designated with a CVSS score.
Along with these two vulnerabilities, Apple has earlier fixed three zero-days in 2024, since January.
