Apple Patches Two New iOS Security Vulnerabilities: CVE-2024-44204 and CVE-2024-44207

October 4, 2024

Apple has recently addressed two unique bugs that could have potentially compromised the privacy of iPhone and iPad users. One of these issues was related to Apple's VoiceOver accessibility feature, which could have led to the devices audibly announcing sensitive passwords. The other problem was linked to voice messages on new iPhone models, which could have recorded users before they were aware they were being recorded. Both issues have been resolved in the latest versions of iOS and iPadOS (18.0.1), which now include improved validation and checks. Users are encouraged to update their devices to protect themselves from these vulnerabilities.

Michael Covington, vice president of portfolio strategy for Jamf, noted that neither of these issues involved remote exploits, but rather, they were problems that could arise with the use of the device, with user privacy being the primary risk. Covington advised businesses using mobile devices for work to pay close attention to these security issues and to update their devices promptly.

The first issue was related to VoiceOver, an accessibility feature that provides audible descriptions of various elements on the screens of visually impaired users. However, not all information on a device should be read aloud, such as passwords. As part of iOS and iPadOS 18, Apple launched a new app called 'Passwords,' which allows users to store and manage their logins. The bug, identified as CVE-2024-44204, was a logic issue that could have allowed VoiceOver to read out users' passwords. This affected virtually all iPhone and iPad models released since 2018. VoiceOver is turned off by default, so only a select group of iPhone users were potentially impacted.

Covington mentioned that this was not the first time accessibility features had been misused. There have been previous instances where screen reader technology was used by rogue apps to capture on-screen details and extract data from the device. However, most accessibility features undergo extensive security and privacy testing, so such scenarios are rare.

The second issue, identified as CVE-2024-44207, was related to audio messages on the new iPhone 16 models. A security researcher found that audio messages could have captured a few seconds of audio before users were aware their microphone was active. While this may seem like a minor issue, Covington pointed out that this disconnect between device function and visual indicators has been linked to persistence techniques used by attackers to maintain a presence on the device following a successful exploit. Addressing this bug before it could be exploited was a significant win for Apple.

As of now, neither the VoiceOver nor the audio message vulnerability has received a rating in the Common Vulnerability Scoring System (CVSS), and no further details are publicly available at this time.

Latest News

• CosmicSting Attacks Compromise Over 4,000 Adobe Commerce and Magento Stores
• Cloudflare Successfully Thwarts Record-Breaking 3.8 Tbps DDoS Attack
• Pervasive 'perfctl' Fileless Malware Threatens Millions of Linux Servers Globally
• Critical Ivanti Vulnerability Actively Exploited, CISA Issues Warning
• Over 700,000 DrayTek Routers Vulnerable to New Security Flaws