Apple has issued security updates for older iPhone and iPad models to address security vulnerabilities exploited in cyber-attacks. The company is responding to a report indicating that this issue has been actively exploited against versions of the iOS prior to 16.6.
The first security vulnerability relates to privilege escalation and stems from a weakness in the XNU kernel, allowing attackers to elevate privileges on unprotected iPhones and iPads. This issue has been addressed in iOS 16.7.1 and iPadOS 16.7.1, though the party responsible for discovering the vulnerability has not yet been disclosed.
The second vulnerability arises from a flaw in the cache capacity bypass within the VP8 encoding system of the open-source libvpx video encoding library. This flaw could enable threat actors to execute arbitrary code when successfully exploiting the vulnerability.
While Apple has not confirmed real-world instances of these vulnerabilities being exploited, both Google and Microsoft have released patches for their products. It's worth noting that Google and its Threat Analysis Group analyze and report on immediate vulnerabilities exploited by state-sponsored threat actors in targeted attacks. The affected devices include iPhone 8 and newer models, all iPad Pro models, the third generation and newer iPad Air, the fifth generation and newer iPad, and the fifth generation and newer iPad Mini.
