Apple released a bevy of security patches to address a range of vulnerabilities including a zero-day that “may have been exploited” in iPhones, iPads and Macintosh computers.
The specific zero-day flaw (CVE-2024-23222) is a Webkit bug that can lead to arbitrary code execution by processing maliciously crafted web content. Apple described it as a “type of confusion issue [that] was addressed with improved checks” in products running:
- iOS17.3 and iPadOs 17.3 (iPhone XS and later models, iPad Pro 12.9-inch 2nd generation and later,iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later)
- iOS 16.7.5 and iPadOS 16.7.5 (iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation)
- macOS Sonoma 14.3
- macOS Ventura 13.6.4
- macOS Monterey 12.7.3
- tvOS 17.3
- Safari 17.3
Apple did not disclose additional details about the vulnerability at this time “for our customers’ protection". The opaque response is typical of Apple and other vendors who want to warn and encourage customers to patch their systems without tipping their hat to criminals who are working to exploit the vulnerability before it's patched.
A new way to address security updates, Apple rolled out the Rapid Security Response in August “to deliver important security improvements between software updates” that “may also be used to mitigate some security issues more quickly, such as issues that might have been exploited ‘in the wild.’”
The U.S. Cybersecurity and Infrastructure Security Agency issued an alert Jan. 23 about the Apple security updates, which is Apple’s first of 2024. Apple patched 20 so-called “zero day” or “zero click” bugs last year.
In addition to CVE-2024-23222, another Webkit bug — CVE-2024-23206 — allowed a maliciously crafted website to "fingerprint a user," while a third Webkit bug — CVE-2024-23214 — also might lead to arbitrary code execution by visiting a maliciously crafted webpage.
Browser-based phishing attacks increased 198% in 2023, according to Menlo Security research set to be released on Jan. 24. That figure jumped to 206% when looking at attacks classified as evasive, according to cybersecurity firm, which use a range of techniques meant to evade traditional security controls.
"Once attackers have found a soft spot in one browser, they are also known to probe other browsers in the same area," said Litty. "So while it's unlikely that this is the exact same vulnerability, it wouldn't be too surprising if there was some shared DNA between the two in-the-wild exploits."