Vulnerabilities

Apple Patches Code Execution Vulnerability in iOS, macOS

Apple has released iOS 17.4.1 and macOS Sonoma 14.4.1 with patches for an arbitrary code execution vulnerability.

Ionut Arghire

Published

March 26, 2024

Apple patches vulnerabilities

Apple has released fresh security updates for iOS and macOS devices to resolve an arbitrary code execution vulnerability.

The issue, tracked as CVE-2024-1580 and described as an integer overflow leading to out-of-bounds write, impacts the CoreMedia and WebRTC components of both iOS and macOS and could be triggered during image processing.

The security defect is not specific to Apple’s products, but affects the dav1d open source AV1 cross-platform decoder and was resolved in dav1d version 1.4.0 in February.

“An integer overflow in dav1d AV1 decoder that can occur when decoding videos with large frame size. This can lead to memory corruption within the AV1 decoder,” a NIST NVD advisory reads.

Apple, which warns that the issue could be exploited to achieve arbitrary code execution during the processing of an image, says it has addressed it with improved input validation.

The tech giant has included patches for the bug in iOS and iPadOS 17.4.1, iOS and iPadOS 16.7.7, visionOS 1.1.1, macOS Sonoma 14.4.1, macOS Ventura 13.6.6, and Safari 17.4.1 (for macOS Monterey and macOS Ventura).

The company has credited Google Project Zero researcher Nick Galloway for reporting the bug.

Galloway has provided a technical writeup on this issue, along with proof-of-concept (PoC) code demonstrating it. The writeup was made public earlier this month.

Advertisement. Scroll to continue reading.

CVE-2024-1580 is a medium-severity vulnerability. Although it can be exploited from the network with low privileges and no user interaction and has high impact on integrity, the flaw has low impact on confidentiality.

There are no reports of this bug being exploited in attacks, but the fact that Apple has released security updates just for it suggests that users should take immediate action and patch their devices.

Additional information on the Apple patches can be found on the company’s security releases page.

In this article:Apple

Data Protection

New ‘GoFetch’ Apple CPU Attack Exposes Crypto Keys

Researchers detail GoFetch, a new side-channel attack impacting Apple CPUs that could allow an attacker to obtain secret keys.

Eduard KovacsMarch 22, 2024

Vulnerabilities

Apple Shortcuts Vulnerability Exposes Sensitive Information

High-severity vulnerability in Apple Shortcuts could lead to sensitive information leak without user’s knowledge.

Ionut ArghireFebruary 23, 2024

Data Protection

Apple Adds Post-Quantum Encryption to iMessage

Apple unveils PQ3, a new post-quantum cryptographic protocol for iMessage designed to protect communications against quantum computing attacks.

Eduard KovacsFebruary 21, 2024

Vulnerabilities

Apple Patches Keystroke Injection Vulnerability in Magic Keyboard

Apple’s latest Magic Keyboard firmware addresses a recently disclosed Bluetooth keyboard injection vulnerability.

Ionut ArghireJanuary 12, 2024

Mobile & Wireless

China Says State-Backed Experts Crack Apple’s AirDrop

Chinese state-backed experts have found a way to identify people who use Apple's encrypted AirDrop messaging service, according to the Beijing municipal government.

AFPJanuary 10, 2024