On Monday, Apple issued security updates across various platforms, including iOS, iPadOS, macOS, tvOS, and Safari web browser, to address a recently discovered zero-day vulnerability that has been actively exploited. The identified issue, designated as CVE-2024-23222, is categorized as a type confusion bug. Exploitation of this bug could allow a malicious actor to execute arbitrary code by manipulating web content. Apple reported that the flaw has been remedied through enhanced checks.
Type confusion vulnerabilities, like the one addressed in this update, have the potential to be leveraged for out-of-bounds memory access, crashes, and arbitrary code execution.
While Apple acknowledged being “aware of a report that this issue may have been exploited,” specific details regarding the nature of the attacks or the identity of threat actors were not disclosed in the brief advisory.
The security updates are applicable to the following devices and operating systems:
This development marks Apple’s first response to an actively exploited zero-day vulnerability in the current year. In the previous year, Apple addressed a total of 20 zero-days that were actively used in real-world attacks.
Additionally, Apple has retroactively applied fixes for CVE-2023-42916 and CVE-2023-42917, vulnerabilities for which patches were released in December 2023. These fixes have been extended to older devices, including iPhone 6s, iPhone 7, iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation).
This announcement comes on the heels of a separate report revealing that Chinese authorities utilized known vulnerabilities in Apple’s AirDrop functionality to aid law enforcement in identifying individuals sending inappropriate content, employing a technique based on rainbow tables.