Apple patches Critical RCE bug in IOS
- Johnny On the Spot
- Mar 27, 2024
- 2 min read
Apple has revealed more about the mystery iOS and iPadOS 17.4.1 patches it quietly deployed last week.
The patches fix a new OS vulnerability that lets remote attackers run arbitrary code on iPhones and iPads.
The susceptible library affects iPhone XS, iPad Pro 12.9-inch second generation, iPad Pro 11-inch first generation, iPad Air third generation, and iPad mini fifth generation. Installing the latest iOS and iPadOS updates mitigates CVE-2024-1580 risk.
Apple Writes Out of Bounds
CVE-2024-1580 is an out-of-bounds write problem in dav1d AV1, an open-source library for decoding AV1 video on several systems. Apple iOS and iPadOS's Core Media framework for processing multimedia data on many Apple platforms and WebRTC implementation for supporting live audio and video feeds in mobile apps are vulnerable. Apple updated iOS, iPadOS, Safari, macOS Sonoma and Ventura, and visionOS for the new Vision Pro headset to solve
CVE-2024-1580 this week. The updates came weeks after Apple released iOS 17.4.
Apple praised a Google Project Zero bug-hunter for discovering and reporting the vulnerability.
Risky Flaw?
Apple's failure to disclose the bug last week suggested that the firm considered it harmful, according to security expert Paul Ducklin. "We're guessing, from Apple's purposeful silence when the first fixes came out last week, that the CVE-2024-1580 bug was considered dangerous to document before the patches for other platforms, notably macOS, were published," he said in a post.
Ducklin added that the company believes that the minimal information it disclosed on March 26 about CVE-2024-1580 is enough for threat actors and researchers to reverse-engineer the update and create a functional exploit. He encouraged vulnerable consumers and companies to upgrade iOS, iPadOS, macOS, and other applications quickly.
Google classified the bug as a medium severity issue with high attack complexity, saying that an attacker would need just low-level privileges but access to the local network or proximity to a vulnerable system to exploit it.
Three Apple Zero-Day Bugs...
Google's Project Zero spreadsheet has three Apple-related zero-day problems in 2024. The three problems include CVE-2024-23222, a Safari WebKit browser engine remote code execution bug, and CVE-2024-23225 and CVE-2024-23296, two iOS kernel vulnerabilities that attackers exploited to assault iPhone users before Apple fixed them.
CVE-2024-0519, a Chrome memory corruption flaw that Google corrected days before Apple published its WebKit Safari zero-day, is Google's fourth zero-day for 2024.