Apple has released an emergency update for iOS and iPadOS to fix a zero-day vulnerability that was actively exploited to hack iPhones and iPads. The update also patches two other security flaws that could allow attackers to execute arbitrary code or access sensitive information.

The zero-day vulnerability, tracked as CVE-2023-42824, affects the kernel component of iOS and iPadOS. According to Apple, a local attacker may be able to elevate their privileges by exploiting this flaw. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.6.

Apple did not provide any details about the nature or source of the attacks, but security researchers have speculated that it could be related to the NSO Group, an Israeli company that sells spyware tools to governments and law enforcement agencies. NSO Group has been accused of using zero-day exploits to target activists, journalists, and dissidents around the world.

The emergency update, iOS 17.0.3 and iPadOS 17.0.3, also fixes two other vulnerabilities in WebRTC and WebKit, the components responsible for video conferencing and web browsing respectively. These vulnerabilities, CVE-2023-5217 and CVE-2023-262365, could allow a remote attacker to cause unexpected application termination or arbitrary code execution by processing maliciously crafted web content.

Apple recommends that all users update their devices as soon as possible to protect themselves from these threats. Users can check for updates by going to Settings > General > Software Update on their devices.

Apple has traditionally had a strong security position, although they have faced several data breaches, vulnerabilities, and controversies over the years. Some notable examples are: