Apple launched safety updates to handle this yr’s first zero-day vulnerability exploited in assaults that might affect iPhones, Macs, and Apple TVs.
The zero-day fastened right this moment is tracked as CVE-2024-23222 [iOS, macOS, tvOS] and is a WebKit confusion situation that attackers might exploit to realize code execution on focused units.
Profitable exploitation permits menace actors to execute arbitrary malicious code on units working susceptible iOS, macOS, and tvOS variations after opening a malicious internet web page.
“Processing maliciously crafted internet content material might result in arbitrary code execution. Apple is conscious of a report that this situation might have been exploited,” Apple mentioned right this moment.
The corporate has but to attribute the invention of this safety vulnerability to a safety researcher. Though the corporate disclosed that it is conscious of in-the-wild exploitation, it has but to publish additional particulars concerning these assaults.
Apple addressed CVE-2024-23222 with improved checks in iOS 16.7.5 and later, iPadOS 16.7.5 and later, and macOS Monterey 12.7.3 and better, in addition to on tvOS 17.3 and later.
The whole listing of units impacted by this WebKit zero-day is kind of intensive, because the bug impacts older and newer fashions, together with:
- iPhone 8, iPhone 8 Plus, iPhone X, iPad fifth technology, iPad Professional 9.7-inch, and iPad Professional 12.9-inch 1st technology
- iPhone XS and later, iPad Professional 12.9-inch 2nd technology and later, iPad Professional 10.5-inch, iPad Professional 11-inch 1st technology and later, iPad Air third technology and later, iPad sixth technology and later, and iPad mini fifth technology and later
- Macs working macOS Monterey and later
- Apple TV HD and Apple TV 4K (all fashions)
Whereas this zero-day vulnerability was probably solely utilized in focused assaults, putting in right this moment’s safety updates as quickly as doable is extremely suggested to dam potential assault makes an attempt.
Right now, Apple additionally backported patches to older iPhone and iPad fashions for 2 different WebKit zero-days (CVE-2023-42916 and CVE-2023-42917) patched in November.
Final yr, the corporate fastened a complete of 20 zero-day flaws exploited within the wild, together with: