Apple WebKit Zero-Day vulnerability (CVE-2024-23222)

Advisory No: TZCERT/SA/2024/01/24

Date of First Release: 24^th January 2024

Source: Apple

Software Affected:

• Safari 17.3 – For Macs running macOS Monterey and macOS Ventura
• iOS 17.3 and iPadOS 17.3 – For iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later
• iOS 16.7.5 and iPadOS 16.7.5 – For iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation
• macOS Sonoma 14.3 – For Macs running macOS Sonoma
• macOS Ventura 13.6.4 – For Macs running macOS Ventura
• macOS Monterey 12.7.3 – For Macs running macOS Monterey
• tvOS 17.3 – For Apple TV HD and Apple TV 4K (all models)

Overview:

Apple has released security updates for iOS, iPadOS, macOS, tvOS, and Safari web browsers to address a zero-day vulnerability that is being exploited by malicious actors. Successful exploitation of this flaw may allow an attacker to cause arbitrary code execution.

Description:

The vulnerability (CVE-2024-23222, CVSS score: 7.5) is a type of confusion flaw in WebKit, Apple’s web browser engine. The vulnerability could allow attackers to execute arbitrary code while the victim device processes maliciously crafted web content.

Impact:

Successful exploitation of this vulnerability may allow a remote attacker to take control of the affected system.

Solution:

Apple has released security updates to resolve this vulnerability. Users and administrations are encouraged to update as soon as possible.

References:

1. https://support.apple.com/en-us/HT201222
2. https://www.helpnetsecurity.com/2024/01/23/cve-2024-23222/
3. https://nvd.nist.gov/vuln/detail/CVE-2024-23222