Apple on Monday released security updates for its iOS, iPadOS, macOS, tvOS and Safari web browsers to address a zero-day vulnerability that has been widely exploited.
The issue is tracked as CVE-2024-23222, is a type confusion error that allows threat actors to achieve arbitrary code execution when processing maliciously crafted web content. The tech giant said the issue had been resolved through improved inspections.
In general, type confusion vulnerabilities can be weaponized to perform out-of-bounds memory access or cause crashes and arbitrary code execution.
Apple acknowledged in a brief advisory that it was “aware of reports that this issue may have been exploited,” but did not disclose any other details about the nature of the attack or the threat actors who exploited the flaw.
These updates are available for the following devices and operating systems –
- iOS 17.3 and iPadOS 17.3 – iPhone 3rd generation and later models and iPad mini 5th generation and then
- iOS 16.7.5 and iPadOS 16.7.5 – iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch and iPad Pro 12.9-inch 1st generation
- macOS Sonoma 14.3 – Mac running macOS Sonoma
- macOS Ventura 13.6.4 – Mac running macOS Ventura
- macOS Monterey 12.7.3 – Mac running macOS Monterey
- TV OS 17.3 – Apple TV HD and Apple TV 4K (all models)
- Safari 17.3 – Mac running macOS Monterey and macOS Ventura
The development marks the first actively exploited zero-day vulnerability Apple has patched this year. Last year, the iPhone maker addressed 20 zero-day vulnerabilities used in real-world attacks.
Additionally, Apple has backported fixes for CVE-2023-42916 and CVE-2023-42917 to older devices (these patches were released in December 2023).
- iOS 15.8.1 and iPadOS 15.8.1 – iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)
It was previously reported that Chinese authorities revealed that they exploited previously known vulnerabilities in Apple’s AirDrop feature and used rainbow table-based technology to help law enforcement identify senders of inappropriate content.
