Apple's trademark tight lips extend to new iPhone, iPad zero-days

Apple's latest security patches address four vulnerabilities affecting iOS and iPadOS, including two zero-days that intel suggests attackers have already exploited.

In typical Apple fashion, it's keeping most of the interesting details under wraps, but both have the potential to access data in the protected kernel.

The consumer tech giant registered the vulnerability as CVE-2024-23225 and said that an attacker would already need to have kernel read and write capabilities to bypass the kernel memory protections. The issue was fixed with improved validation, Apple said.

It's a similar story with CVE-2024-23296, the second zero-day disclosed in the round of updates. Affecting RTKit, Apple's real-time operating system that runs on various devices like AirPods, Apple Watch, and more, its description closely mirrors that of CVE-2024-23225.

Attackers would again need kernel read and write capabilities to exploit it, and it too allows miscreants to bypass kernel memory protections. It was also fixed with improved validation.

There are, however, slight differences between the two. While Apple's latest iOS and iPadOS 17.4 updates protect users from the vulnerabilities, Cupertino's security engineers were also forced to develop a patch for devices running iOS and iPadOS version 16.x.

Indeed, CVE-2024-23225 also affects devices such as the iPhone 8, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation – devices that are no longer supported by Apple's latest OS releases.

Unfortunately, there are no details on offer in terms of what attacks the exploited zero-days were involved in or how severe the vulnerabilities are. At the time of writing, the National Vulnerability Database (NVD) is still analyzing the flaws and hasn't yet assigned either a CVSS severity rating.

Usually, when vendors register for CVEs they also provide a provisional CVSS rating of their own which appears alongside the NVD's assessment, but it's rare that Apple submits its own, in our experience.

Apple has also withheld attribution for the zero-days' discovery, revealing nothing about whether they were found in-house or reported by a third party.

The iOS and iPadOS versions 17.4 were released on March 5 and also brought with them fixes for two other minor-sounding vulnerabilities.

Discovered by Cristian Dinca, student at Tudor Vianu National College of Computer Science in Bucharest, CVE-2024-23243 was registered as a vulnerability that could expose sensitive location information to an app.

• EU users can't update 3rd party iOS apps if abroad too long
• What a surprise! Apple found a way to deliver browser engine and app store choice
• Apple gets in on the AI PC hype, claims fanless M3 MacBook Air is fab for LLMs
• EU takes a bite out of Apple with $2B in-app purchase fine

"A privacy issue was addressed with improved private data redaction for log entries," said Apple.

Students at the school are aged between 11 and 19 years, which means Dinca may well have a bright future in cybersecurity.

The discovery of CVE-2024-23256 was attributed to one "Om Kothawade," although no credentials were included next to their name.

The vulnerability relates to Safari's private browsing feature and could have seen a user's locked tabs becoming visible for a short time when switching tab groups, only when Locked Private Browsing was enabled.

"A logic issue was addressed with improved state management," said Apple.

More than a patch

As we've already covered this week, Apple's iOS and iPadOS 17.4 updates brought more than just security fixes.

Orders per the EU's Digital Markets Act are now in the wild. Apple was compelled by Brussels to give users a choice over their browser engine and from where they download their apps.

Apple met its March 6 deadline early, overhauling previously longstanding rules against app sideloading and browser apps using their own engines on Apple's phones and tablets. Chrome, Firefox, and the rest were all essentially reskins of Apple's Safari running on its WebKit framework.

In the EU, that's no longer the case. Users now see a new setup screen after installing the update prompting them to choose a default browser. They also may be penalized for spending too much time outside of the country, it has emerged, with Apple stating: "If you're gone for too long, you'll lose access to some features, including installing new alternative app marketplaces," Apple said.

The new updates also brought a few other features too, such as automatic podcast transcription, quantum-safe iMessages, and new emojis. ®