Patch/Configuration Management, Endpoint/Device Security, Threat Intelligence

Apple patches iOS, MacOS 0day that ‘may have been exploited’

Customers check out the newly launched iPhone 15 at Apple's flagship store in Shanghai, China, on September 24, 2023. (Photo by Costfoto/NurPhoto via Getty Images)

Apple released a bevy of security patches to address a range of vulnerabilities including a zero-day that “may have been exploited” in iPhones, iPads and Macintosh computers.

The specific zero-day flaw (CVE-2024-23222) is a Webkit bug that can lead to arbitrary code execution by processing maliciously crafted web content. Apple described it as a “type of confusion issue [that] was addressed with improved checks” in products running:

Apple did not disclose additional details about the vulnerability at this time “for our customers’ protection". The opaque response is typical of Apple and other vendors who want to warn and encourage customers to patch their systems without tipping their hat to criminals who are working to exploit the vulnerability before it's patched.  

A new way to address security updates, Apple rolled out the Rapid Security Response in August “to deliver important security improvements between software updates” that “may also be used to mitigate some security issues more quickly, such as issues that might have been exploited ‘in the wild.’”

The U.S. Cybersecurity and Infrastructure Security Agency issued an alert Jan. 23 about the Apple security updates, which is Apple’s first of 2024. Apple patched 20 so-called “zero day” or “zero click” bugs last year.

In addition to CVE-2024-23222, another Webkit bug — CVE-2024-23206 — allowed a maliciously crafted website to "fingerprint a user," while a third Webkit bug — CVE-2024-23214 — also might lead to arbitrary code execution by visiting a maliciously crafted webpage.

Browser-based phishing attacks increased 198% in 2023, according to Menlo Security research set to be released on Jan. 24. That figure jumped to 206% when looking at attacks classified as evasive, according to cybersecurity firm, which use a range of techniques meant to evade traditional security controls.

Given the limited information made available by Apple and Google about 2024's first browser zero days — CVE-2024-23222 and CVE-2024-0519, respectively — Menlo Chief Security Architect Lionel Litty said it was challenging to say whether the same vulnerability was exploited since the Chrome CVE was in the JavaScript engine (v8) and Safari uses a different JavaScript engine. However, it is not uncommon for different implementations to have very similar flaws, he continued.

"Once attackers have found a soft spot in one browser, they are also known to probe other browsers in the same area," said Litty. "So while it's unlikely that this is the exact same vulnerability, it wouldn't be too surprising if there was some shared DNA between the two in-the-wild exploits."

Stephen Weigand

Stephen Weigand is managing editor and production manager for SC Media. He has worked for news media in Washington, D.C., covering military and defense issues, as well as federal IT. He is based in the Seattle area.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.