Apple has released fresh security updates for iOS and macOS devices to resolve an arbitrary code execution vulnerability.
The issue, tracked as CVE-2024-1580 and described as an integer overflow leading to out-of-bounds write, impacts the CoreMedia and WebRTC components of both iOS and macOS and could be triggered during image processing.
The security defect is not specific to Apple’s products, but affects the dav1d open source AV1 cross-platform decoder and was resolved in dav1d version 1.4.0 in February.
“An integer overflow in dav1d AV1 decoder that can occur when decoding videos with large frame size. This can lead to memory corruption within the AV1 decoder,” a NIST NVD advisory reads.
Apple, which warns that the issue could be exploited to achieve arbitrary code execution during the processing of an image, says it has addressed it with improved input validation.
The tech giant has included patches for the bug in iOS and iPadOS 17.4.1, iOS and iPadOS 16.7.7, visionOS 1.1.1, macOS Sonoma 14.4.1, macOS Ventura 13.6.6, and Safari 17.4.1 (for macOS Monterey and macOS Ventura).
The company has credited Google Project Zero researcher Nick Galloway for reporting the bug.
Galloway has provided a technical writeup on this issue, along with proof-of-concept (PoC) code demonstrating it. The writeup was made public earlier this month.
CVE-2024-1580 is a medium-severity vulnerability. Although it can be exploited from the network with low privileges and no user interaction and has high impact on integrity, the flaw has low impact on confidentiality.
There are no reports of this bug being exploited in attacks, but the fact that Apple has released security updates just for it suggests that users should take immediate action and patch their devices.
Additional information on the Apple patches can be found on the company’s security releases page.
Related: Apple Blunts Zero-Day Attacks With iOS 17.4 Update
Related: Apple Patches Vision Pro Vulnerability as CISA Warns of iOS Flaw Exploitation
Related: Apple Ships iOS 17.3, Warns of WebKit Zero-Day Exploitation