Apple has rolled out security updates to address the first zero-day vulnerability of 2024 that has been actively exploited in attacks. This vulnerability, identified as CVE-2024-23222, could potentially affect iPhones, Macs, and Apple TVs. This issue lies within WebKit, and if exploited, could allow threat actors to execute arbitrary malicious code on devices running vulnerable versions of iOS, macOS, and tvOS after users open a malicious web page.
Apple stated, 'Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited.' The company has not yet identified a security researcher who discovered this vulnerability. Despite acknowledging the exploitation of this vulnerability in the wild, Apple has not disclosed further details about these attacks.
The tech giant has addressed CVE-2024-23222 by enhancing checks in iOS 16.7.5 and later, iPadOS 16.7.5 and later, macOS Monterey 12.7.3 and higher, as well as tvOS 17.3 and later. The list of devices affected by this WebKit zero-day is extensive, impacting both older and newer models.
While the exploitation of this zero-day vulnerability was likely limited to targeted attacks, Apple strongly recommends users to install the security updates as soon as possible to prevent potential attack attempts. In addition to this, Apple has also provided patches for two other WebKit zero-days (CVE-2023-42916 and CVE-2023-42917) to older iPhone and iPad models, which were initially patched in November.
In the previous year, Apple addressed a total of 20 zero-day vulnerabilities that were exploited in the wild.