Apple on Monday released security updates for iOS, iPadOS, macOS, tvOS, and Safari web browser to address a zero-day flaw that has come under active exploitation in the wild.
The issue, tracked as CVE-2024-23222, is a type confusion bug in the WebKit browser engine that could be exploited by a threat actor to achieve arbitrary code execution when processing maliciously crafted web content. The tech giant said the problem was fixed with improved checks.
Type confusion vulnerabilities, in general, could be weaponized to perform out-of-bounds memory access, or lead to a crash and arbitrary code execution.
In a terse advisory, Apple acknowledged it's "aware of a report that this issue may have been exploited," but did not share any other specifics about the nature of attacks or the threat actors leveraging the shortcoming.
The updates are available for the following devices and operating systems -
- iOS 17.3 and iPadOS 17.3 - iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later
- iOS 16.7.5 and iPadOS 16.7.5 - iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation
- macOS Sonoma 14.3 - Macs running macOS Sonoma
- macOS Ventura 13.6.4 - Macs running macOS Ventura
- macOS Monterey 12.7.3 - Macs running macOS Monterey
- tvOS 17.3 - Apple TV HD and Apple TV 4K (all models)
- Safari 17.3 - Macs running macOS Monterey and macOS Ventura
The development marks the first actively exploited zero-day vulnerability to be patched by Apple this year. Last year, the iPhone maker had addressed 20 zero-days that have been employed in real-world attacks.
In addition, Apple has backported fixes for CVE-2023-42916 and CVE-2023-42917 – patches for which were first released in December 2023 – to older devices -
- iOS 15.8.1 and iPadOS 15.8.1 - iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)
The disclosure also follows a report that Chinese authorities revealed that they have used previously known vulnerabilities in Apple's AirDrop functionality to help law enforcement to identify senders of inappropriate content, using a technique based on rainbow tables.