Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

IoT Security

Apple Patches Vision Pro Vulnerability Used in Possibly ‘First Ever Spatial Computing Hack’

Apple has released a visionOS update that patches CVE-2024-27812, which may be the first flaw specific to the VR headset.

Apple VIsion Pro vulnerability

Apple on Monday updated visionOS, the operating system powering its Vision Pro virtual reality headset, to version 1.2, which addresses several vulnerabilities, including what may be the first security flaw that is specific to this product.

visionOS 1.2 patches nearly two dozen vulnerabilities. However, a vast majority of them are in components that visionOS shares with other Apple products, such as iOS, macOS and tvOS.

Apple on Monday released the new visionOS security advisory and also updated iOS, macOS, and other advisories initially published in May to add the CVEs from the visionOS advisory.

The vulnerabilities can lead to arbitrary code execution, information disclosure, privilege escalation, and denial of service (DoS).

The vulnerability that stands out is CVE-2024-27812. This appears to be the only CVE that is specific to the Vision Pro headset, as it’s not listed in the advisories for any Apple product other than visionOS. 

According to Apple, CVE-2024-27812 is related to the processing of specially crafted web content and exploitation can lead to a DoS condition. 

“The issue was addressed with improvements to the file handling protocol,” Apple said in its advisory.

Ryan Pickren, the cybersecurity researcher credited by Apple for reporting this vulnerability, has confirmed for SecurityWeek that this is indeed a Vision Pro-specific vulnerability, and he believes “it is the first ever spatial computing hack”. 

Advertisement. Scroll to continue reading.

Pickren is not allowed to disclose any details until he gets approval from Apple. 

The researcher previously earned significant bug bounties from Apple, and was recently part of a team that developed malware designed to target modern programmable logic controllers (PLCs).

Related: Apple Patches Vision Pro Vulnerability as CISA Warns of iOS Flaw Exploitation

Related: Apple Releases First-Ever Security Updates for Beats, AirPods Headphones

Related: Apple Patches Keystroke Injection Vulnerability in Magic Keyboard

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.

Register

People on the Move

Retired U.S. Army General and former NSA Director Paul M. Nakasone has joined the Board of Directors at OpenAI.

Jill Passalacqua has been appointed Chief Legal Officer at autonomous security solutions provider Horizon3.ai.

Cisco has appointed Sean Duca as CISO and Practice Leader for the APJC region.

More People On The Move

Expert Insights