[ad_1]
Apple has finally released details about the mysterious update it secretly pushed to iOS and iPadOS 17.4.1 last week.
At the end of the day, this update addresses issues such as: New vulnerability It is built into their respective operating systems and could allow a remote attacker to execute arbitrary code on an affected iPhone or iPad.
Apple iOS and iPadOS products affected by the vulnerable library include iPhone XS and later, iPad Pro 12.9 inch 2nd generation and later, iPad Pro 11 inch 1st generation and later, iPad Air 3rd generation and later, iPad mini 5th generation and later. It is included. . Users of these devices can reduce their risk from the vulnerabilities identified as follows: CVE-2024-1580 By installing new iOS and iPadOS updates.
Apple write out of bounds issue
CVE-2024-1580 is due to an out-of-bounds write issue in dav1d AV1, an open source library for decoding AV1 video on a wide range of devices and platforms. The two components of Apple iOS and iPadOS affected by this vulnerability are the Core Media framework for processing multimedia data on various Apple platforms and the Core Media framework for supporting live audio and video feed streams in mobile apps. This is his WebRTC implementation for the company.
In addition to the iOS and iPadOS updates, Apple also released updates this week to address CVE-2024-1580 in other products. Safari web browserMac OS sonoma and Ventura And that Vision OS Software for the company’s new Vision Pro headset. Apple’s update comes just weeks after the company released its iOS 17.4
Apple has confirmed that researchers from Google’s Project Zero bug-hunting team discovered the vulnerability and reported it to the company.
Potentially dangerous defect?
Security researcher Paul Ducklin said Apple’s Reluctant to reveal details of last week’s flaws This indicates that the company has likely deemed the defect to be dangerous.
“Apple’s deliberate silence when the first fix was published last week suggests that documenting the CVE-2024-1580 bug before patches are available for other platforms, especially macOS, is dangerous. My guess is that it was considered.” he wrote in a blog post.
We also believe that even the basic information about CVE-2024-1580 that the company published on March 26th provides enough information for attackers and researchers to reverse engineer the update and develop a working exploit. Ducklin said that suggests there is. He advised users and organizations with affected devices to immediately update to the latest versions of iOS, iPadOS, macOS, and other affected software.
Google rates this bug as a medium-severity issue with high attack complexity, meaning that an attacker would only need low-level privileges to exploit the bug, but would need access to the local network to be successful. or the need to be physically close to vulnerable systems.
Apple’s 3 zero-day bugs…so far.
So far in 2024, three of the four zero-day bugs Google has included in its Project Zero spreadsheet are Apple-related. The three bugs include: CVE-2024-23222a remote code execution bug in Safari’s WebKit browser engine, and CVE-2024-23225 and CVE-2024-23296two kernel vulnerabilities in iOS were actively exploited by attackers in attacks against iPhone users before Apple fixed them.
Google did not immediately respond to Dark Reading’s request for more information about the exploitability of the flaw or whether Project Zero researchers had actually observed any exploit activity targeting the flaw.
The fourth zero-day listed by Google in its 2024 Project Zero spreadsheet is: CVE-2024-0519This is a memory corruption bug that was actively being attacked in Chrome, which the company patched just days before Apple released a zero-day for WebKit Safari.
[ad_2]
Source link
