Apple issued two emergency patches (iOS 17.4) for iPhone zero-days on March 5 that the company said in an advisory may have been exploited in the wild.
Security pros said it was a serious issue because nation-state threat actors tend to exploit iOS zero-days to launch spyware attacks on high-risk individuals such as journalists, opposition politicians, and dissidents.
“While it was not mentioned whether these exploits were used by commercial spyware vendors, I believe there’s a high probability this is the case, given the high value of such exploits,” said Ken Westin, Field CISO at Panther Labs. “These types of exploits are utilized by commercial spyware vendors that provide their technology and services to nation-states, supposedly to target criminals; however, they are often misused to target dissidents and journalists.”
The first zero-day — CVE-2024-23225 — was in the iOS Kernel, while the second zero-day — CVE-2024-23296 — was in the RTKit. Apple said that in both cases an attacker with arbitrary kernel read-and-write capability could potentially bypass kernel memory protections.
For the Kernel, patches are now available for the following devices: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later.
And for the RTKit, patches are now available for the following devices: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later.
Apple did not disclose the name of the researcher who found the two zero-day bugs. With the patches of the two bugs, Apple has fixed three zero-days in 2024 — the first happening in January.
Being able to bypass kernel memory protections, along with having read and write privileges, is as serious as it gets, said John Gallagher, vice president of Viakoo Labs. Gallagher added that Apple has effective patching mechanisms in place and that in other types of devices (particularly IoT), this could have long-lasting and devastating consequences.
“These iOS zero-day vulnerabilities are not just for state-sponsored spyware attacks, such as Pegasus,” said Gallagher. “Any threat actor aiming for stealth will want to leverage zero-day exploits, especially in highly used devices, such as smartphones, or high impact systems, such as IoT devices and applications.”
iOS 17.4 delivers foundational security updates for Apple
Michael Covington, vice president, portfolio strategy at Jamf, said iOS 17.4 introduces some of the most foundational updates his team has ever seen to iPhone security.
Covington said while changes to account for the Digital Markets Act — like support for third-party app stores and alternative web browser engines — will dominate European headlines because of the recent EU ruling against Apple, the more far-reaching impact of iOS 17.4 is the introduction of a new iMessage security protocol: PQ3. Covington said PQ3 offers a massive jump forward in how messages are protected from the next-generation of hacking tools.
“With PQ3, users of Apple’s iMessage service can be more confident that data sent today will be able to withstand attacks implemented using the quantum computing power that will be available to attackers in the future,” explained Covington. “Although quantum attacks have not yet materialized, we recommend that all users update to iOS 17.4 to effectively protect all messages with PQ3.”
