Apple released security updates to address this year's first zero-day vulnerability exploited in attacks that could impact iPhones, Macs, and Apple TVs.
The zero-day fixed today is tracked as CVE-2024-23222 [iOS, macOS, tvOS, Safari] and is a WebKit confusion issue that attackers could exploit to gain code execution on targeted devices.
Successful exploitation enables threat actors to execute arbitrary malicious code on devices running vulnerable iOS, macOS, and tvOS versions after opening a malicious web page.
"Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited," Apple said today.
The company has yet to attribute the discovery of this security vulnerability to a security researcher. Although the company disclosed that it's aware of in-the-wild exploitation, it has yet to publish further details regarding these attacks.
Apple addressed CVE-2024-23222 with improved checks in iOS 16.7.5 and later, iPadOS 16.7.5 and later, and macOS Monterey 12.7.3 and higher, as well as on tvOS 17.3 and later.
The complete list of devices impacted by this WebKit zero-day is quite extensive, as the bug affects older and newer models, including:
- iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation
- iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later
- Macs running macOS Monterey and later
- Apple TV HD and Apple TV 4K (all models)
While this zero-day vulnerability was likely only used in targeted attacks, installing today's security updates as soon as possible is highly advised to block potential attack attempts.
Today, Apple also backported patches to older iPhone and iPad models for two other WebKit zero-days (CVE-2023-42916 and CVE-2023-42917) patched in November for newer devices.
Last year, the company fixed a total of 20 zero-day flaws exploited in the wild, including:
- two zero-days (CVE-2023-42916 and CVE-2023-42917) in November
- two zero-days (CVE-2023-42824 and CVE-2023-5217) in October
- five zero-days (CVE-2023-41061, CVE-2023-41064, CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993) in September
- two zero-days (CVE-2023-37450 and CVE-2023-38606) in July
- three zero-days (CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439) in June
- three more zero-days (CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373) in May
- two zero-days (CVE-2023-28206 and CVE-2023-28205) in April
- and another WebKit zero-day (CVE-2023-23529) in February