Days After Google, Apple Reveals Exploited Zero-Day in Browser Engine

The new bug is Apples 12th WebKit zero-day in the last year, highlighting the increasing enterprise exposure to browser-borne threats.

Apple has patched an actively exploited zero-day bug in its WebKit browser engine for Safari.
The bug, assigned as
CVE-2024-23222
, stems from a
type confusion error
, which basically is what happens when an application incorrectly assumes the input it receives is of a certain type without actually validating — or incorrectly validating — that to be the case.
Apple yesterday described the vulnerability as something an attacker could exploit to execute arbitrary code on affected systems. Apple is aware of a report that this issue may have been exploited, the companys advisory noted, without offering any further details.
The company has released
updated versions
of iOS, iPadOS, macOS, iPadOS, and tvOS with additional validation checks to address the vulnerability.
CVE-2024-23222 is the first zero-day vulnerability that Apple has disclosed in WebKit in 2024. Last year, the company disclosed a total of 11 zero-day bugs in the technology — its most ever in a single calendar year. Since 2021, Apple has disclosed a total of 22 WebKit zero-day bugs, highlighting the growing interest in the browser from both researchers and attackers.
In parallel, Apples disclosure of the new WebKit zero-day follows on Googles disclosure last week of a
zero-day in Chrome
. It marks at least the third time in recent months where both vendors have disclosed zero-days in their respective browsers in close proximity to each other. The trend suggests that researchers and attackers are probing almost equally for flaws in both technologies, likely because Chrome and Safari are also the most widely used browsers.
Apple has not disclosed the nature of the exploit activity targeting the newly disclosed zero-day bug. But researchers have reported seeing commercial spyware vendors abusing some of the companys more recent ones, to drop surveillance software on iPhones of target subjects.
In September 2023, Toronto Universitys Citizen Lab warned Apple about
two no-click zero-day vulnerabilities
in iOS that a vendor of surveillance software had exploited to drop the Predator spyware tool on an iPhone belonging to an employee at a Washington, D.C.-based organization. The same month, Citizen Lab researchers also reported a separate zero-day exploit chain — which included a Safari bug — they had discovered targeting iOS devices.
Google has flagged similar concerns in Chrome, almost in tandem with Apple, on a few occasions recently. In September 2023, for instance, near the same time Apple disclosed its zero-day bugs, researchers from Googles threat analysis group identified a commercial software company called Intellexa as developing an exploit chain — which included a Chrome zero-day (
CVE-2023-4762
) — to install Predator on Android devices. Just a few days earlier, Google had disclosed another zero-day in Chrome (
CVE-2023-4863
) in the same image processing library in which Apple had disclosed a zero-day.
Lionel Litty, chief security architect at browser security firm Menlo Security, says its hard to say if theres any connection between Google and Apples first browser zero-days for 2024, given the limited information currently available. The Chrome CVE was in the JavaScript engine (v8) and Safari uses a different JavaScript engine, Litty says. However, it is not uncommon for different implementations to have very similar flaws.
Once attackers have found a soft spot in one browser, they are also known to probe other browsers in the same area, Litty says. So, while its unlikely that this is the exact same vulnerability, it wouldnt be too surprising if there was some shared DNA between the two in-the-wild exploits.
Surveillance vendors are, by far, not the only ones trying to exploit browser vulnerabilities and browsers in general. According to a soon-to-be-released report from Menlo Security, there was a 198% increase in browser-based phishing attacks in the second half of 2023 compared to the first six months of the year. Evasive attacks — a category that Menlo describes as using techniques to evade traditional security controls — surged even higher, by 206%, and accounted for 30% of all browser-based attacks in the second half of 2023.
Over a 30-day period, Menlo says it observed more than 11,000 so-called zero-hour browser-based phishing attacks evade Secure Web Gateway and other endpoint threat detection tools.
The browser is the business application enterprises cant live without, but it has fallen behind from a security and manageability perspective, Menlo said in the upcoming report.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Days After Google, Apple Reveals Exploited Zero-Day in Browser Engine