Apple Releases Details on Security Bug Allowing Remote Code Execution

March 26, 2024

Apple has recently shed light on the security updates it quietly rolled out last week for iOS and iPadOS 17.4.1. The updates were designed to address a new vulnerability, CVE-2024-1580, that could allow a remote attacker to execute arbitrary code on certain iPhones and iPads. The flaw is present in iPhone XS and subsequent models, as well as in various iPad models. To protect their devices, users are advised to install the updated iOS and iPadOS versions.

The vulnerability, CVE-2024-1580, arises from an out-of-bounds write issue in the open source library dav1d AV1, used for decoding AV1 video across a broad range of devices and platforms. The vulnerability affects Apple's Core Media framework, which processes multimedia data on numerous Apple platforms, and the company's WebRTC implementation that supports live audio and video feeds in mobile applications.

Alongside the iOS and iPadOS updates, Apple also released updates for other products to address CVE-2024-1580. These include Safari, macOS Sonoma and Ventura, and visionOS software for the company's new Vision Pro headset. These updates follow closely on the heels of the release of iOS 17.4.

The vulnerability was identified and reported by a researcher from Google's Project Zero bug-hunting team. Security researcher Paul Ducklin noted that Apple's delay in disclosing the details of the flaw likely indicates that the company deemed it dangerous. He wrote, 'We're guessing, from Apple's purposeful silence when the first fixes came out last week, that the CVE-2024-1580 bug was considered dangerous to document before the patches for other platforms, notably macOS, were published.'

Ducklin suggested that even the basic information Apple released about CVE-2024-1580 on March 26 could provide enough data for threat actors and researchers to reverse engineer the update and create a working exploit. He recommended that users and organizations with affected devices promptly update to the newest versions of iOS, iPadOS, macOS, and any other affected software.

Google has classified the bug as a medium severity issue with high attack complexity. An attacker would need only low-level privileges to exploit the bug, but would require access to the local network or proximity to a vulnerable system for a successful attack. To date in 2024, three of the four zero-day bugs listed in Google's Project Zero spreadsheet are related to Apple. These include CVE-2024-23222, a remote code execution bug in Safari's WebKit browser engine, and CVE-2024-23225 and CVE-2024-23296, two kernel vulnerabilities in iOS that attackers were exploiting against iPhone users before Apple released a fix. The fourth zero-day, CVE-2024-0519, is a memory corruption bug in Chrome that was actively attacked and patched by Google shortly before Apple disclosed its WebKit Safari zero-day.

Related News

• CISA Lists Apple iOS and iPadOS Memory Corruption Bugs in its Known Exploited Vulnerabilities Catalog
• Apple Responds to Exploited iOS Zero-Days with Emergency Security Updates
• Apple Shortcuts Zero-Click Vulnerability Enables Covert Data Theft
• Apple Addresses Vision Pro Security Flaw, CISA Highlights iOS Vulnerability Exploitation
• CISA Issues Warning over Actively Exploited iPhone Kernel Bug

Latest News

• German Cybersecurity Authority Raises Alarm Over 17K Vulnerable Microsoft Exchange Servers
• ShadowRay: Hackers Exploit Unpatched Ray Framework Vulnerability to Breach Servers
• Mozilla Quickly Patches Two Zero-Day Vulnerabilities Exposed at Pwn2Own Vancouver 2024
• China-Linked Threat Cluster Exploits Connectwise, F5 Software Vulnerabilities
• Critical Fortinet RCE Bug Exploited in Attacks: Security Researchers Release PoC Exploit