Apple released a bevy of security patches to address a range of vulnerabilities including a zero-day that “may have been exploited” in iPhones, iPads and Macintosh computers.
The specific zero-day flaw (CVE-2024-23222) is a Webkit bug that can lead to arbitrary code execution by processing maliciously crafted web content. Apple described it as a “type of confusion issue [that] was addressed with improved checks” in products running:
- iOS17.3 and iPadOs 17.3 (iPhone XS and later models, iPad Pro 12.9-inch 2nd generation and later,iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later)
- iOS 16.7.5 and iPadOS 16.7.5 (iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation)
- macOS Sonoma 14.3
- macOS Ventura 13.6.4
- macOS Monterey 12.7.3
- tvOS 17.3
- Safari 17.3
Apple did not disclose additional details about the vulnerability at this time “for our customers’ protection". The opaque response is typical of Apple and other vendors who want to warn and encourage customers to patch their systems without tipping their hat to criminals who are working to exploit the vulnerability before it's patched.
A new way to address security updates, Apple rolled out the Rapid Security Response in August “to deliver important security improvements between software updates” that “may also be used to mitigate some security issues more quickly, such as issues that might have been exploited ‘in the wild.’”
The U.S. Cybersecurity and Infrastructure Security Agency issued an alert Jan. 23 about the Apple security updates, which is Apple’s first of 2024. Apple patched 20 so-called “zero day” or “zero click” bugs last year.
In addition to CVE-2024-23222, another Webkit bug — CVE-2024-23206 — allowed a maliciously crafted website to "fingerprint a user," while a third Webkit bug — CVE-2024-23214 — also might lead to arbitrary code execution by visiting a maliciously crafted webpage.
Browser-based phishing attacks increased 198% in 2023, according to Menlo Security research set to be released on Jan. 24. That figure jumped to 206% when looking at attacks classified as evasive, according to cybersecurity firm, which use a range of techniques meant to evade traditional security controls.
Given the limited information made available by Apple and Google about 2024's first browser zero days — CVE-2024-23222 and CVE-2024-0519, respectively — Menlo Chief Security Architect Lionel Litty said it was challenging to say whether the same vulnerability was exploited since the Chrome CVE was in the JavaScript engine (v8) and Safari uses a different JavaScript engine. However, it is not uncommon for different implementations to have very similar flaws, he continued.
"Once attackers have found a soft spot in one browser, they are also known to probe other browsers in the same area," said Litty. "So while it's unlikely that this is the exact same vulnerability, it wouldn't be too surprising if there was some shared DNA between the two in-the-wild exploits."