The vulnerabilities have been exploited to bypass kernel memory protections, according to Apple. Credit: Laurenz Heymann / Unsplash Apple is advising immediate patching against two critical zero-day vulnerabilities attackers are using to carry out memory-corruption attacks on Apple devices. Tracked as CVE-2024-23225 and CVE-2024-23296, the vulnerabilities allow attackers with arbitrary kernel read and write capabilities to bypass kernel memory protections on iOS kernel and RTKit (Apple’s real-time operating system), respectively. “Apple is aware of a report that this issue may have been exploited,” Apple said in a patch note, adding that the “memory corruption issue was addressed with improved validation.” With this rollout, Apple has patched three zero-days this year, the first being a Webkit confusion issue (CVE-2024-23222) patched in January. Patched in iOS 17.4 and iPadOS 17.4 Necessary patching has been applied in the latest software updates for iPhones and iPads with releases iOS 17.4 and iPadOS 17.4, respectively. While Apple refrained from disclosing the details of known exploitations or their discovery, it listed out the impacted devices the patches are now available for. These include iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later. Additionally, the company issued patches for devices pulled out of iOS 17 and iPadOS 17 support, which include iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation. The patched updates for these devices are iOS 16.7.6 and iPadOS 16.7.6. Apart from the two zero days, releases of iOS 17.4 and iPadOS 17.4 patched up a couple of privacy bugs, CVE-2024-23243 and CVE-2024-23256, both allowing access to a user’s private data. Many Apple bugs have been weaponized in the past, few with nation-state interests before the iPhone maker has had the time to work on and apply a patch. Last year, Apple products were hit with over 20 zero-days, the most recent being the info-stealing bugs affecting Macs and iPads. Related content news AT&T suffers critical breach impacting 73 million customers Data released on the dark web impacts 7.6 million existing account holders and 65.4 million past subscribers. By Shweta Sharma 01 Apr 2024 4 mins Data Breach feature Recruit for diversity: Practical ways to remove bias from the hiring process Changing the wording on job descriptions and introducing a diverse hiring panel are some of the ways to remove bias when hiring cybersecurity professionals. By Aimee Chanthadavong 01 Apr 2024 8 mins Careers feature The CSO guide to top security conferences Tracking postponements, cancellations, and conferences gone virtual — CSO Online’s calendar of upcoming security conferences makes it easy to find the events that matter the most to you. By CSO Staff 01 Apr 2024 17 mins Technology Industry IT Skills Events news Top cybersecurity product news of the week New product and service announcements from Bedrock Security, GitGuardian, Legit Security, Nametag, and Cybereason and Observe By CSO staff 29 Mar 2024 70 mins Generative AI Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe