Patch Now: Apple Zero-Day Exploits Bypass Kernel Security

We Keep you Connected

Patch Now: Apple Zero-Day Exploits Bypass Kernel Security

A pair of critical bugs could open the door to complete system compromise, including access to location information, iPhone camera and mic, and messages. Rootkitted attackers could theoretically perform lateral movement to corporate networks, too.
March 6, 2024
Apple has released emergency security updates to fix two critical iOS zero-day vulnerabilities that cyberattackers are actively using to compromise iPhone users at the kernel level.
According to Apple's security bulletin released March 5, the memory-corruption bugs both allow threat actors with arbitrary kernel read and write capabilities to bypass kernel memory protections:
CVE-2024-23225: Found in the iOS Kernel
CVE-2024-23296: Found in the RTKit component
While Apple, true to form, declined to offer additional details, Krishna Vishnubhotla, vice president of product strategy at mobile security provider Zimperium, explains that flaws like these present exacerbated risk to individuals and organizations.
"The kernel on any platform is crucial because it manages all operating system operations and hardware interactions," he explains. "A vulnerability in it that allows arbitrary access can enable attackers to bypass security mechanisms, potentially leading to a complete system compromise, data breaches, and malware introduction."
And not only that, but kernel memory-protection bypasses are a special plum for Apple-focused cyberattackers.
"Apple has strong protections to prevent apps from accessing data and functionality of other apps or the system," says John Bambenek, president at Bambenek Consulting. "Bypassing kernel protections essentially lets an attacker rootkit the phone so they can access everything such as the GPS, camera and mic, and messages sent and received in cleartext (i.e., Signal)."
The number of exploited zero-days for Apple so far stands at three: In January, the tech giant patched an actively exploited zero-day bug in the Safari WebKit browser engine (CVE-2024-23222), a type confusion error.
It's unclear who's doing the exploiting in this case, but iOS users have become top targets for spyware in recent months. Last year, Kaspersky researchers uncovered discovered a series of Apple zero-day flaws (CVE-2023-46690, CVE-2023-32434, CVE-2023-32439) connected to Operation Triangulation, a sophisticated, likely state-sponsored cyber-espionage campaign that deployed TriangleDB spying implants on iOS devices at a variety of government and corporate targets. And nation-states are well-known for using zero-days to drop the NSO Group's Pegasus spyware on iOS devices — including in a recent campaign against Jordanian civil society.
However, John Gallagher, vice president of Viakoo Labs at Viakoo, says the nature of the attackers could be more mundane — and more dangerous to everyday organizations.
"iOS zero-day vulnerabilities are not just for state-sponsored spyware attacks, such as Pegasus," he says, adding that being able to bypass kernel memory protections while having read and write privileges is "as serious as it gets." He notes, "Any threat actor aiming for stealth will want to leverage zero-day exploits, especially in highly used devices, such as smartphones, or high-impact systems, such as IoT devices and applications."
Apple users should update to the following versions to patch the vulnerabilities with improved input validation: iOS 17.4, iPadOS 17.4, iOS 16.76, and iPad 16.7.6.
Tara Seals, Managing Editor, News, Dark Reading

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

You May Also Like
Assessing Your Critical Applications’ Cyber Defenses
Unleash the Power of Gen AI for Application Development, Securely
The Anatomy of a Ransomware Attack, Revealed
How To Optimize and Accelerate Cybersecurity Initiatives for Your Business
Building a Modern Endpoint Strategy for 2024 and Beyond
Cybersecurity’s Hottest New Technologies – Dark Reading March 21 Event
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Industrial Networks in the Age of Digitalization
Zero-Trust Adoption Driven by Data Protection
How Enterprises Assess Their Cyber-Risk
AI-Driven Testing: Bridging the Software Automation Gap
The Rise of the No-Code Economy
Gcore Radar
Secure Access for Operational Technology at Scale
Threat Intelligence: Data, People and Processes
Building Cyber Resiliency: Key Strategies for Proactive Security Operations
Migrations Playbook for Saving Money with Snyk + AWS
Cybersecurity’s Hottest New Technologies – Dark Reading March 21 Event
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Copyright © 2024 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG.