Apple has released a security update for older iPhones and iPads that fixes two zero-day vulnerabilities used in attacks, with backup port patches released a week ago.

“Apple is aware of reports that this issue may have been actively exploited in iOS versions prior to iOS 16.6,” the company said in a statement.

Apple has now fixed the issue with improved controls in iOS 16.7.1 and iPadOS 16.7.1 as well, but it is not yet known who discovered and reported the flaw.

The second bug, identified as CVE-2023-5217, is caused by a stack buffer overflow vulnerability in the VP8 encoding of the open source libvpx video codec library. This flaw could allow threat actors to execute arbitrary code upon successful exploitation.

Although Apple has not confirmed any exploits, Google previously patched libvpx into the Chrome web browser as a zero-day bug. Microsoft also fixed the same vulnerability in Edge, Teams and Skype products.

Google announced that CVE-2023-5217 was discovered by security researcher Clement Lessin, a member of Google’s Threat Analysis Group (TAG), a team of security experts known for discovering zero-days used in high-level government-targeted spyware attack security. . People at risk.

The list of devices affected by the two zero-day bugs is quite extensive and includes:

• iPhone 8 and newer
• iPad Pro (all models), iPad Air 3rd generation and above, iPad 5th generation and above, and iPad mini 5th generation and above

Last week, CISA added two vulnerabilities to its catalog of vulnerabilities known to be exploited and ordered federal agencies to protect their devices from incoming attacks.

Apple also recently addressed three zero-days (CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993) reported by researchers at Citizen Lab and Google TAG. Attackers used them to distribute Cytrox’s Predator spyware. Additionally, Citizen Lab discovered two more zero-day vulnerabilities (CVE-2023-41061 and CVE-2023-41064), which Apple patched last month.

These flaws were exploited as part of a click-free exploit chain known as BLASTPASS and were used to install NSO Group’s Pegasus spyware on fully patched iPhones.

Since the beginning of the year, Apple has patched 18 zero-day vulnerabilities commonly used to target iPhones and Macs:

• Two zero days in July (CVE-2023-37450 and CVE-2023-38606)
• Three zero days in June (CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439)
• Three more zero days in May (CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373)
• Two zero days in April (CVE-2023-28206 and CVE-2023-28205)
• and another WebKit zero-day (CVE-2023-23529) in February