A pair of critical bugs could open the door to complete system compromise, including access to location information, iPhone camera and mic, and messages. Rootkitted attackers could theoretically perform lateral movement to corporate networks, too.

Worm exiting a fresh apple
Source: mauritius images GmbH via Alamy Stock Photo

Apple has released emergency security updates to fix two critical iOS zero-day vulnerabilities that cyberattackers are actively using to compromise iPhone users at the kernel level.

According to Apple's security bulletin released March 5, the memory-corruption bugs both allow threat actors with arbitrary kernel read and write capabilities to bypass kernel memory protections:

  • CVE-2024-23225: Found in the iOS Kernel

  • CVE-2024-23296: Found in the RTKit component

While Apple, true to form, declined to offer additional details, Krishna Vishnubhotla, vice president of product strategy at mobile security provider Zimperium, explains that flaws like these present exacerbated risk to individuals and organizations.

"The kernel on any platform is crucial because it manages all operating system operations and hardware interactions," he explains. "A vulnerability in it that allows arbitrary access can enable attackers to bypass security mechanisms, potentially leading to a complete system compromise, data breaches, and malware introduction."

And not only that, but kernel memory-protection bypasses are a special plum for Apple-focused cyberattackers.

"Apple has strong protections to prevent apps from accessing data and functionality of other apps or the system," says John Bambenek, president at Bambenek Consulting. "Bypassing kernel protections essentially lets an attacker rootkit the phone so they can access everything such as the GPS, camera and mic, and messages sent and received in cleartext (i.e., Signal)."

Apple Bugs: Not Just for Nation-State Rootkitting

The number of exploited zero-days for Apple so far stands at three: In January, the tech giant patched an actively exploited zero-day bug in the Safari WebKit browser engine (CVE-2024-23222), a type confusion error.

It's unclear who's doing the exploiting in this case, but iOS users have become top targets for spyware in recent months. Last year, Kaspersky researchers uncovered discovered a series of Apple zero-day flaws (CVE-2023-46690, CVE-2023-32434, CVE-2023-32439) connected to Operation Triangulation, a sophisticated, likely state-sponsored cyber-espionage campaign that deployed TriangleDB spying implants on iOS devices at a variety of government and corporate targets. And nation-states are well-known for using zero-days to drop the NSO Group's Pegasus spyware on iOS devices — including in a recent campaign against Jordanian civil society.

However, John Gallagher, vice president of Viakoo Labs at Viakoo, says the nature of the attackers could be more mundane — and more dangerous to everyday organizations.

"iOS zero-day vulnerabilities are not just for state-sponsored spyware attacks, such as Pegasus," he says, adding that being able to bypass kernel memory protections while having read and write privileges is "as serious as it gets." He notes, "Any threat actor aiming for stealth will want to leverage zero-day exploits, especially in highly used devices, such as smartphones, or high-impact systems, such as IoT devices and applications."

Apple users should update to the following versions to patch the vulnerabilities with improved input validation: iOS 17.4, iPadOS 17.4, iOS 16.76, and iPad 16.7.6.

About the Author(s)

Tara Seals, Managing Editor, News, Dark Reading

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights