Atlassian, Apple warn customers of zero-days used in attacks

Two tech giants are warning their customers about zero-day vulnerabilities being exploited in attacks.

Apple published a terse advisory on Wednesday about CVE-2023-42824 – a vulnerability affecting iPhone XS and later as well as several versions of the iPad Pro and Air.

“A local attacker may be able to elevate their privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.6,” said Apple, which released an emergency fix for the issue.

The advisory also adds a note about CVE-2023-5217, another bug sourced back to the libvpx video codec library. Like another issue discovered last month, the vulnerability affects a media processing tool embedded within browsers.

The Cybersecurity and Infrastructure Security Agency (CISA) warned on Monday that hackers are exploiting it and several browser makers have said their products are affected by it — including Google’s Chrome browser, Mozilla’s Firefox, Microsoft’s Edge and more.

Besides browsers, the code can be found in many other internet-based platforms, but it is unclear whether the vulnerability affects anything beyond browsers.

Google researchers first published information about the bug last week and said it was being exploited by unnamed commercial spyware vendors. Google said it was keeping information about the bug restricted so that users had a chance to install a fix.

Initially the flaw only appeared to affect Google products, but other browser makers identified the same problem, with Mozilla publishing its own advisory that rated CVE-2023-5217 as critical.

Atlassian attacks

Australian software giant Atlassian also released an advisory Wednesday on an issue with its Confluence Data Center and Server product. The company rated the vulnerability critical – the highest possible rating they have.

In a statement to Recorded Future News, a spokesperson for the company said Atlassian was recently made aware of CVE-2023-22515 and released a patch addressing it.

“Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances,” they said.

“Atlassian Cloud sites are not impacted by this vulnerability. We have provided customers with details of affected versions, mitigation steps required and threat detection actions in our Critical Security Advisory.”

The company urged customers to not only upgrade to the fixed version but also have security teams look through the provided indicators of compromise to see if exploitation occurred.

Several Atlassian vulnerabilities have been widely exploited by hackers in the past, with at least one topping CISA’s list of the top 15 routinely exploited vulnerabilities in 2021.