Apple on Monday released security updates for iOS, iPadOS, macOS, tvOS, and Safari web browser to address a zero-day flaw that has come under active exploitation in the wild.
The issue, tracked as CVE-2024-23222, is a type confusion bug that could be exploited by a threat actor to achieve arbitrary code execution when processing maliciously crafted web content. The tech giant said the problem was fixed with improved checks.
Type confusion vulnerabilities, in general, could be weaponized to perform out-of-bounds memory access, or lead to a crash and arbitrary code execution.
Apple, in a terse advisory, acknowledged that it’s “aware of a report that this issue may have been exploited,” but did not share any other specifics about the nature of attacks or the threat actors leveraging the shortcoming.
The updates are available for the following devices and operating systems –
The development marks the first actively exploited zero-day vulnerability to be patched by Apple this year. Last year, the iPhone maker had addressed 20 zero-days that have been employed in real-world attacks.
In addition, Apple has also backported fixes for CVE-2023-42916 and CVE-2023-42917 – patches for which were released in December 2023 – to older devices –
The disclosure also follows a report that Chinese authorities revealed that they have used previously known vulnerabilities in Apple’s AirDrop functionality to help law enforcement to identify senders of inappropriate content, using a technique based on rainbow tables.