Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Apple Patches Code Execution Vulnerability in iOS, macOS

Apple has released iOS 17.4.1 and macOS Sonoma 14.4.1 with patches for an arbitrary code execution vulnerability.

Apple patches vulnerabilities

Apple has released fresh security updates for iOS and macOS devices to resolve an arbitrary code execution vulnerability.

The issue, tracked as CVE-2024-1580 and described as an integer overflow leading to out-of-bounds write, impacts the CoreMedia and WebRTC components of both iOS and macOS and could be triggered during image processing.

The security defect is not specific to Apple’s products, but affects the dav1d open source AV1 cross-platform decoder and was resolved in dav1d version 1.4.0 in February.

“An integer overflow in dav1d AV1 decoder that can occur when decoding videos with large frame size. This can lead to memory corruption within the AV1 decoder,” a NIST NVD advisory reads.

Apple, which warns that the issue could be exploited to achieve arbitrary code execution during the processing of an image, says it has addressed it with improved input validation.

The tech giant has included patches for the bug in iOS and iPadOS 17.4.1, iOS and iPadOS 16.7.7, visionOS 1.1.1, macOS Sonoma 14.4.1, macOS Ventura 13.6.6, and Safari 17.4.1 (for macOS Monterey and macOS Ventura).

The company has credited Google Project Zero researcher Nick Galloway for reporting the bug.

Galloway has provided a technical writeup on this issue, along with proof-of-concept (PoC) code demonstrating it. The writeup was made public earlier this month.

Advertisement. Scroll to continue reading.

CVE-2024-1580 is a medium-severity vulnerability. Although it can be exploited from the network with low privileges and no user interaction and has high impact on integrity, the flaw has low impact on confidentiality.

There are no reports of this bug being exploited in attacks, but the fact that Apple has released security updates just for it suggests that users should take immediate action and patch their devices.

Additional information on the Apple patches can be found on the company’s security releases page.

Related: Apple Blunts Zero-Day Attacks With iOS 17.4 Update

Related: Apple Patches Vision Pro Vulnerability as CISA Warns of iOS Flaw Exploitation

Related: Apple Ships iOS 17.3, Warns of WebKit Zero-Day Exploitation

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Professional services company Slalom has appointed Christopher Burger as its first CISO.

Allied Universal announced that Deanna Steele has joined the company as CIO for North America.

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

More People On The Move

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.