Apple Issues Urgent Patch for Actively Exploited Zero-Day Vulnerability

Apple has released urgent software updates for iPhones, iPads, Mac computers, Apple TVs, and the Safari web browser to address a critical zero-day vulnerability that has been actively exploited in the wild.

The vulnerability, tracked as CVE-2024-23222, is a type confusion issue in the WebKit browser engine that could allow a remote attacker to execute arbitrary code on vulnerable devices when processing specially crafted web content. If successfully exploited, the flaw could potentially enable full access to compromised systems.

Apple said in its advisory that the vulnerability was addressed with improved input validation in WebKit, the browser engine that powers Apple's Safari browser as well as all web content displayed in apps on iPhone, iPad, and Mac. However, the company did not share any specifics about the nature of attacks exploiting this vulnerability or the threat actors behind them, only saying that it is "aware of a report that this issue may have been exploited."

This is the first zero-day vulnerability patched by Apple in 2024. Last year, Apple addressed 20 actively exploited zero-days, indicating that the discovery and abuse of unpatched flaws in Apple software is on the rise.

The urgent updates have been released for the following Apple devices and operating systems:

• iOS 17.3 and iPadOS 17.3 - iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later
• iOS 16.7.5 and iPadOS 16.7.5 - iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation
• iOS 15.8.1 and iPadOS 15.8.1 - iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)
• macOS Sonoma 14.3 - Macs running macOS Sonoma
• macOS Ventura 13.6.4 - Macs running macOS Ventura
• macOS Monterey 12.7.3 - Macs running macOS Monterey
• watchOS 10.3 - Apple Watch Series 4 and later
• tvOS 17.3 - Apple TV HD and Apple TV 4K (all models)
• Safari 17.3 - Macs running macOS Monterey and macOS Ventura

All users of these devices and operating systems are urged to update to the latest versions immediately to protect against potential attacks leveraging this vulnerability.

In addition to patching the actively exploited flaw, Apple has also backported fixes for two other WebKit vulnerabilities - CVE-2023-42916 and CVE-2023-42917 - that were previously addressed in December 2023. These additional WebKit fixes are included in the newly released iOS 15.8.1 and iPadOS 15.8.1 updates for older iPhone, iPad, and iPod touch devices that are no longer eligible for the latest iOS and iPadOS releases.

The critical patch arrives on the heels of reports that Chinese authorities have been using previously known vulnerabilities in Apple's AirDrop wireless file transfer protocol to identify and monitor protesters and other individuals sending inappropriate content in public spaces.

While Apple had already fixed the specific AirDrop flaws being exploited, the use of the technique raises questions about the privacy and security of Apple's proprietary close proximity sharing feature.

Apple continues to be a major target for hackers and nation-state actors alike due to the tremendous value of iPhone and Mac devices to both consumers and businesses.

The company's stringent vetting of apps allowed in the App Store provides a certain degree of security assurance, but vulnerabilities like the one patched today demonstrate that serious risks remain, underscoring the importance of promptly applying software updates.

Users are advised to ensure automatic updates are enabled on all Apple devices to ensure timely delivery of the latest security fixes.