Apple has rolled out security updates to address a zero-day vulnerability in the Safari web browser that was exploited during the recent Pwn2Own Vancouver hacking competition, BleepingComputer reports.
Click for more special coverage
Tracked as CVE-2024-27834, the vulnerability affects systems running macOS Monterey and macOS Ventura. It was reported by Manfred Paul, who used it alongside an integer underflow bug to achieve remote code execution, earning $60,000.
Apple's advisory explained that the flaw allowed attackers with arbitrary read and write capabilities to bypass Pointer Authentication, a security feature on the arm64e architecture designed to detect and guard against unauthorized changes to pointers in memory.
This patch improves checks to prevent such exploits. While the update for Safari 17.5 is available for iOS 17.5, iPadOS 17.5, macOS Sonoma 14.5, and visionOS 1.2, Apple has not confirmed if the CVE-2024-27834 bug has been patched on these platforms. In addition to the Safari patch, Apple also released backported security updates for older iPhones and iPads, addressing an iOS zero-day flaw that was being exploited in attacks.