Apple has released a series of security updates on Monday to address multiple vulnerabilities in their products, including a zero-day vulnerability that “could be exploited” in iOS, iPadOS, and macOS operating systems.
The specific zero-day vulnerability, identified as CVE-2024-23222, is found in WebKit and could lead to arbitrary code execution through the processing of malicious web content. Apple described it as a “confusion problem” that has been resolved with enhanced checks in iOS 17.3, iPadOS 17.3, macOS Sonoma 14.3, macOS Ventura 13.6.4, macOS Monterey 12.7.3, tvOS 17.3, and Safari 17.3.
As usual, Apple has not disclosed detailed information about the vulnerabilities, except what is mentioned in their “Security Response” to protect customers. In August, Apple implemented Rapid Security Response to provide significant security improvements between software updates, which can also be used to quickly mitigate certain security issues.
The Cybersecurity and Infrastructure Security Agency issued an alert on January 23rd regarding Apple’s security updates, which are the first in 2024. Apple addressed 20 zero-day or zero-click vulnerabilities last year.
In addition to CVE-2024-23222, another WebKit vulnerability (CVE-2024-23206) allowed a malicious website to “dejailbreak” a user, while a third WebKit vulnerability (CVE-2024-23214) could also result in arbitrary code execution through visiting a malicious website.
According to research by Menlo Security, browser-based phishing attacks increased by 198% in 2023. This figure rose to 206% for attacks categorized as evasive, employing various techniques to bypass traditional security controls.
Considering the limited availability of information regarding the initial browser zero-days in 2024 (CVE-2024-23222 and CVE-2024-0519), Lionel Litty, Chief Security Architect at Menlo, stated that it is difficult to determine if the same vulnerabilities were exploited since Chrome’s CVE pertained to the JavaScript engine (v8), while Safari uses a different JavaScript engine. However, it is not uncommon for different implementations to have very similar flaws. When attackers find a weak spot in one browser, they often test other browsers in the same area. Therefore, while it is unlikely to be the exact same vulnerability, it would not be surprising if there is some common DNA between the two attacks.
FAQ Section – Key Topics and Information:
1. What vulnerabilities were addressed in the Apple security updates?
Answer: The updates aimed to fix multiple vulnerabilities, including zero-day vulnerabilities that “could be exploited” in iOS, iPadOS, and macOS.
2. What was the specific zero-day vulnerability in WebKit?
Answer: The specific zero-day vulnerability, identified as CVE-2024-23222, occurred in WebKit and could lead to arbitrary code execution through the processing of malicious web content.
3. Which Apple products were covered by the security updates?
Answer: The updates covered iPhones, iPads, Macintosh computers, macOS Monterey, tvOS, and Safari.
4. What is Rapid Security Response?
Answer: Rapid Security Response is a new way of addressing security updates introduced by Apple in August, providing significant security improvements between software updates.
5. What WebKit vulnerabilities were fixed?
Answer: Alongside CVE-2024-23222, another WebKit bug (CVE-2024-23206) was fixed, which allowed a website to “dejailbreak” a user, and another WebKit bug (CVE-2024-23214) that could lead to arbitrary code execution through visiting a malicious website.
Key Term Definitions and Technical Language:
– Zero-day: Refers to vulnerabilities in a system that are unknown to the software vendor, thus lacking effective security measures. Cybercriminals can exploit these vulnerabilities before they are properly patched.
– WebKit: The browser engine used in Safari and other web browsers.
– CVE: Common Vulnerabilities and Exposures (CVE) is a standard way of identifying publicly known vulnerabilities in computer systems. Each CVE number is a unique identifier assigned to each vulnerability.
Suggested Related Links to the Main Domain:
– Apple Homepage
– Apple Support
– iPhone
– iPad
– macOS
– tvOS
– Safari
[embedded content]
The source of the article is from the blog scimag.news