In response to a zero-day vulnerability that is being actively exploited in the wild, Apple provided security upgrades on Monday for the Safari web browser, iOS, iPadOS, macOS, tvOS, and Linux.
A threat actor could use the problem, identified as CVE-2024-23222, which is a type confusion bug in the WebKit browser engine, to execute arbitrary code when processing maliciously created web content. The tech behemoth claimed that better checks had resolved the issue.
In general, type confusion vulnerabilities have the potential to be used as a weapon to execute arbitrary code, cause a crash, or accomplish out-of-bounds memory access.
Apple issued a brief advisory stating that it is “aware of a report that this issue may have been exploited,” but it provided no further details regarding the type of attacks or the threat actors taking advantage of the vulnerability.
The following hardware and operating systems can receive the updates:
- iOS 17.3 and iPadOS 17.3 – iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later
- iOS 16.7.5 and iPadOS 16.7.5 – iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation
- macOS Sonoma 14.3 – Macs running macOS Sonoma
- macOS Ventura 13.6.4 – Macs running macOS Ventura
- macOS Monterey 12.7.3 – Macs running macOS Monterey
- tvOS 17.3 – Apple TV HD and Apple TV 4K (all models)
- Safari 17.3 – Macs running macOS Monterey and macOS Ventura
This is the first time Apple has patched a zero-day vulnerability that has been actively exploited this year. The manufacturer of iPhones fixed 20 zero-day vulnerabilities that were used in actual assaults last year.
Furthermore, Apple has sent updates to older devices for CVE-2023-42916 and CVE-2023-42917, patches for which were initially made available in December 2023.
- iOS 15.8.1 and iPadOS 15.8.1 – iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)
The announcement coincides with another claim that Chinese authorities have disclosed that they have employed a rainbow table-based method to assist law enforcement in identifying senders of illicit content by leveraging previously identified weaknesses in Apple’s AirDrop capabilities.