Connect with us

Hi, what are you looking for?


IoT Security

Apple Patches Vision Pro Vulnerability Used in Possibly ‘First Ever Spatial Computing Hack’

Apple has released a visionOS update that patches CVE-2024-27812, which may be the first flaw specific to the VR headset.

Apple VIsion Pro vulnerability

Apple on Monday updated visionOS, the operating system powering its Vision Pro virtual reality headset, to version 1.2, which addresses several vulnerabilities, including what may be the first security flaw that is specific to this product.

visionOS 1.2 patches nearly two dozen vulnerabilities. However, a vast majority of them are in components that visionOS shares with other Apple products, such as iOS, macOS and tvOS.

Apple on Monday released the new visionOS security advisory and also updated iOS, macOS, and other advisories initially published in May to add the CVEs from the visionOS advisory.

The vulnerabilities can lead to arbitrary code execution, information disclosure, privilege escalation, and denial of service (DoS).

The vulnerability that stands out is CVE-2024-27812. This appears to be the only CVE that is specific to the Vision Pro headset, as it’s not listed in the advisories for any Apple product other than visionOS. 

According to Apple, CVE-2024-27812 is related to the processing of specially crafted web content and exploitation can lead to a DoS condition. 

“The issue was addressed with improvements to the file handling protocol,” Apple said in its advisory.

Ryan Pickren, the cybersecurity researcher credited by Apple for reporting this vulnerability, has confirmed for SecurityWeek that this is indeed a Vision Pro-specific vulnerability, and he believes “it is the first ever spatial computing hack”. 

Advertisement. Scroll to continue reading.

Pickren is not allowed to disclose any details until he gets approval from Apple. 

The researcher previously earned significant bug bounties from Apple, and was recently part of a team that developed malware designed to target modern programmable logic controllers (PLCs).

Related: Apple Patches Vision Pro Vulnerability as CISA Warns of iOS Flaw Exploitation

Related: Apple Releases First-Ever Security Updates for Beats, AirPods Headphones

Related: Apple Patches Keystroke Injection Vulnerability in Magic Keyboard

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.


Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.


People on the Move

Teresa Anania joins Sophos as the company's new Chief Customer Officer.

SaaS security company AppOmni has hired Joel Wallenstrom as its General Manager.

FTI Consulting has appointed Brett Callow as Managing Director in its Cybersecurity & Data Privacy Communications practice.

More People On The Move

Expert Insights