Apple has finally released more details about the mysterious updates the company quietly rolled out last week for iOS and iPadOS 17.4.1.
Apparently, the updates concern a new vulnerability in their respective operating systems which allows a remote attacker to execute arbitrary code on affected iPhones and iPads.
Apple iOS and iPadOS products affected by the vulnerable library include iPhone XS and later, iPad Pro 12.9-inch second generation and later, iPad Pro 11-inch first generation and later, iPad Air 3rd generation and later, and iPad mini fifth generation and later. Users of these devices can mitigate the risk from the vulnerability identified as CVE-2024-1580 installing the new iOS and iPadOS updates.
An out of bounds Apple writing problem
CVE-2024-1580 results from an out-of-bounds write issue in dav1d AV1, an open source library for decoding AV1 video across a wide range of devices and platforms. The two Apple iOS and iPadOS components affected by the vulnerability are the Core Media framework for processing media data across a variety of Apple platforms and the company’s WebRTC implementation for supporting live audio and video feed streams in mobile apps.
In addition to updating iOS and iPadOS, Apple also released updates this week to address CVE-2024-1580 in other products, including its Safari web browserMacOS Sonoma AND Ventura, and its visionOS software for the company’s new Vision Pro headphones. Apple’s updates come just weeks after the company released iOS 17.4
Apple credited a researcher from Google’s Project Zero bug research team with identifying and reporting the vulnerability to the company.
Potentially dangerous defect?
Security researcher Paul Ducklin identified Apple’s hesitation in releasing details of the defect last week as a sign that the company probably assessed the defect as dangerous.
“We assume, from Apple’s deliberate silence when the first fixes appeared last week, that the CVE-2024-1580 bug was considered dangerous to document before patches for other platforms, particularly macOS, were released,” he wrote in a blog post.
It also suggests that the company also consider the basic information released on March 26 about CVE-2024-1580 as providing threat actors and researchers with enough information to reverse engineer the update and develop a working exploit, Ducklin said. He advised users and organizations using affected devices to immediately update to new versions of iOS, iPadOS, macOS and other affected software.
Google rated the bug as a medium-severity issue with high attack complexity, noting that an attacker would require only low-level privileges to exploit the bug, but would need local network access or to be physically close to a system vulnerable to succeed.
Three Apple Zero-Day Bugs… So Far
So far in 2024, three of the four zero-day bugs that Google has included in its Project Zero spreadsheet are Apple-related. The three bugs include CVE-2024-23222a remote code execution bug in the WebKit browser engine for Safari and CVE-2024-23225 and CVE-2024-23296two iOS kernel vulnerabilities that attackers were actively exploiting in attacks against iPhone users before Apple found a fix.
Google did not immediately respond to a request from Dark Reading for more information on the flaw’s exploitability or whether Project Zero researchers have observed any exploit activity targeting the flaw in the wild.
The fourth zero day that Google has in its Project Zero spreadsheet for 2024 is CVE-2024-0519an actively attacked memory corruption bug in Chrome that the company patched days before Apple revealed its zero-day WebKit Safari.