Apple has introduced the first security update for its recently launched Vision Pro virtual reality headset. This comes as the US cybersecurity agency, CISA, issued a warning about the exploitation of an iOS vulnerability. The update for Vision Pro is specifically for the visionOS spatial computing operating system that powers the VR headset. It addresses CVE-2024-23222, a WebKit vulnerability that enables arbitrary code execution via specially designed web content.
Apple revealed this flaw in January, stating that it might have been used in malicious attacks, although no specific details are available. The vulnerability affects several iPhone and iPad models and was fixed with the release of iOS 17.3 and iPadOS 17.3. In the security advisory for visionOS 1.0.2, Apple included a warning about potential exploitation of CVE-2024-23222, but this does not necessarily mean that VR headsets have been targeted.
Typically, vulnerabilities of this kind are exploited in highly targeted attacks by spyware companies and their clients against iPhone users. However, components like WebKit are utilized across multiple products, and Apple includes an exploitation warning in each advisory, regardless of whether there is evidence of attacks against the specific product. Apple clarified in the fall that “most frameworks available in iPadOS and iOS are also included in visionOS, which means nearly all iPad and iPhone apps can run on visionOS, unmodified.” This suggests that some iOS vulnerabilities will also affect visionOS, although it is unlikely that Vision Pro users will be targeted soon.
The first security update for visionOS was announced on January 31, just two days before the official launch of the Vision Pro, which starts at $3,499. On the same day, CISA added CVE-2022-48618 to its catalog of known exploited vulnerabilities. This flaw affects iOS and iPadOS, and Apple stated it might have been used against iPhones running iOS 15.17.1 and earlier. Apple quietly added this vulnerability to iOS and macOS advisories initially published in December 2022 on January 9, 2024. There do not appear to be any prior reports describing the exploitation of this vulnerability.