Apple Security Bug Opens iPhone, iPad to RCE

  /     /     /  
Publicated : 23/11/2024   Category : security


Apple Security Bug Opens iPhone, iPad to RCE


CVE-2024-1580 allows remote attackers to execute arbitrary code on affected devices.



Apple finally has released more details on the mysterious updates the company silently pushed last week for iOS and iPadOS 17.4.1.
As it turns out, the updates address a
new vulnerability
in the respective operating systems that allows a remote attacker to execute arbitrary code on affected iPhones and iPads.
Apple iOS and iPadOS products affected by the vulnerable library include iPhone XS and later, iPad Pro 12.9-inch second generation and later, iPad Pro 11-inch first generation and later, iPad Air third generation and later, and iPad mini fifth generation and later. Users of these devices can mitigate the risk from the vulnerability identified as
CVE-2024-1580
by installing the new iOS and iPadOS updates.
CVE-2024-1580 stems from an out-of-bounds write issue in dav1d AV1, an open source library for decoding AV1 video on a wide range of devices and platforms. The two Apple iOS and iPadOS components affected by the vulnerability are its Core Media framework for processing multimedia data on a variety of Apple platforms, and the companys WebRTC implementation for supporting live audio and video feeds streams in mobile apps.
In addition to updating iOS and iPadOS, Apple this week also released updates to address CVE-2024-1580 in other products, including its
Safari Web browser
, macOS
Sonoma
and
Ventura,
 and its
visionOS
software for the companys new Vision Pro headset. Apples updates come just weeks after the company released iOS 17.4
Apple credited a researcher at Googles Project Zero bug-hunting team for finding and reporting the vulnerability to the company.
Security researcher Paul Ducklin identified Apples
hesitation to release details of the flaw last week
as a sign that the company likely assessed the flaw as being dangerous.
Were guessing, from Apples purposeful silence when the first fixes came out last week, that the CVE-2024-1580 bug was considered dangerous to document before the patches for other platforms, notably macOS, were published,
he wrote in a blog post
.
It also suggests that the company considers even the basic information it released on March 26 about CVE-2024-1580 as giving threat actors and researchers enough information to reverse engineer the update and develop a working exploit, Ducklin said. He advised users and organizations using affected devices to immediately update to the newet versions of iOS, iPadOS, macOS, and other affected software.
Google has assessed the bug as a medium severity issue with high attack complexity, noting that an attacker would require only low level privileges to exploit the bug, but would need access to the local network or be physically near a vulnerable system to be successful.
So far in 2024, three of the four zero-day bugs that Google has included in its Project Zero spreadsheet are Apple related. The three bugs include
CVE-2024-23222
, a remote code execution bug in the WebKit browser engine for Safari, and
CVE-2024-23225 and CVE-2024-23296
, two kernel vulnerabilities in iOS that attackers were actively exploiting in attacks against iPhone users before Apple had a fix for it.
Google did not respond immediately to a Dark Reading request for more information about the exploitability of the flaw or whether Project Zero researchers have observed any exploit activity targeting the flaw in the wild.
The fourth zero-day that Google has on its Project Zero spreadsheet for 2024 is
CVE-2024-0519
, an actively attacked memory corruption bug in Chrome that the company patched days before Apple disclosed its WebKit Safari zero-day.

Last News

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Apple Security Bug Opens iPhone, iPad to RCE