Apple lastly has launched extra particulars on the mysterious updates the corporate silently pushed final week for iOS and iPadOS 17.4.1.
Because it seems, the updates deal with a new vulnerability within the respective working programs that enables a distant attacker to execute arbitrary code on affected iPhones and iPads.
Apple iOS and iPadOS merchandise affected by the susceptible library embrace iPhone XS and later, iPad Professional 12.9-inch second era and later, iPad Professional 11-inch first era and later, iPad Air third era and later, and iPad mini fifth era and later. Customers of those units can mitigate the chance from the vulnerability recognized as CVE-2024-1580 by putting in the brand new iOS and iPadOS updates.
An Apple Out-of-Bounds Write Difficulty
CVE-2024-1580 stems from an out-of-bounds write challenge in dav1d AV1, an open supply library for decoding AV1 video on a variety of units and platforms. The 2 Apple iOS and iPadOS parts affected by the vulnerability are its Core Media framework for processing multimedia information on quite a lot of Apple platforms, and the corporate’s WebRTC implementation for supporting dwell audio and video feeds streams in cell apps.
Along with updating iOS and iPadOS, Apple this week additionally launched updates to deal with CVE-2024-1580 in different merchandise, together with its Safari Net browser, macOS Sonoma and Ventura, and its visionOS software program for the corporate’s new Imaginative and prescient Professional headset. Apple’s updates come simply weeks after the corporate launched iOS 17.4
Apple credited a researcher at Google’s Challenge Zero bug-hunting group for locating and reporting the vulnerability to the corporate.
Probably Harmful Flaw?
Safety researcher Paul Ducklin recognized Apple’s hesitation to launch particulars of the flaw final week as an indication that the corporate probably assessed the flaw as being harmful.
“We’re guessing, from Apple’s purposeful silence when the primary fixes got here out final week, that the CVE-2024-1580 bug was thought of harmful to doc earlier than the patches for different platforms, notably macOS, had been printed,” he wrote in a weblog put up.
It additionally means that the corporate considers even the essential data it launched on March 26 about CVE-2024-1580 as giving risk actors and researchers sufficient data to reverse engineer the replace and develop a working exploit, Ducklin stated. He suggested customers and organizations utilizing affected units to instantly replace to the newet variations of iOS, iPadOS, macOS, and different affected software program.
Google has assessed the bug as a medium severity challenge with excessive assault complexity, noting that an attacker would require solely low stage privileges to use the bug, however would wish entry to the native community or be bodily close to a susceptible system to achieve success.
Three Apple Zero-Day Bugs … So Far
Up to now in 2024, three of the 4 zero-day bugs that Google has included in its Challenge Zero spreadsheet are Apple associated. The three bugs embrace CVE-2024-23222, a distant code execution bug within the WebKit browser engine for Safari, and CVE-2024-23225 and CVE-2024-23296, two kernel vulnerabilities in iOS that attackers had been actively exploiting in assaults in opposition to iPhone customers earlier than Apple had a repair for it.
Google didn’t reply instantly to a Darkish Studying request for extra details about the exploitability of the flaw or whether or not Challenge Zero researchers have noticed any exploit exercise concentrating on the flaw within the wild.
The fourth zero-day that Google has on its Challenge Zero spreadsheet for 2024 is CVE-2024-0519, an actively attacked reminiscence corruption bug in Chrome that the corporate patched days earlier than Apple disclosed its WebKit Safari zero-day.