Update now! Apple releases patch for zero-day vulnerability
Apple has released new security updates for several products, including a patch for a zero-day vulnerability that could impact iPhones, iPad, Macs, and Apple TVs.
Apple says it’s aware of a report that the bug may have been exploited already. Further details about the nature of the vulnerability were not disclosed to give users enough time to install the updates.
The updates may already have reached you if you automatically update, but it doesn’t hurt to check you’re on the latest version.
If a Safari update is available for your device, you can get it by updating your iPhone or iPad or updating your Mac.
Updates are available for:
| Safari 17.3 | macOS Monterey and macOS Ventura |
| iOS 17.3 and iPadOS 17.3 | iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later |
| iOS 16.7.5 and iPadOS 16.7.5 | iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation |
| iOS 15.8.1 and iPadOS 15.8.1 | iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation) |
| macOS Sonoma 14.3 | macOS Sonoma |
| macOS Ventura 13.6.4 | macOS Ventura |
| macOS Monterey 12.7.3 | macOS Monterey |
| watchOS 10.3 | Apple Watch Series 4 and later |
| tvOS 17.3 | Apple TV HD and Apple TV 4K (all models) |
Technical details
The zero-day vulnerability is listed as CVE-2024-23222: a type confusion issue in WebKit that was addressed with improved checks. This issue is fixed in tvOS 17.3, iOS 17.3 and iPadOS 17.3, macOS Sonoma 14.3, iOS 16.7.5 and iPadOS 16.7.5, Safari 17.3, macOS Ventura 13.6.4, macOS Monterey 12.7.3. Processing maliciously crafted web content may lead to arbitrary code execution.
Type confusion can occur in interpreted languages such as JavaScript and PHP, which use dynamic typing. In dynamic typing, the type of a variable is determined and updated at runtime, as opposed to being set at compile-time in a statically typed language. A type confusion vulnerability means an attacker has the opportunity to change the type of a given variable in order to trigger unintended behavior.
Several other vulnerabilities in WebKit, which is the browser engine that powers Safari and other apps, were patched as well.
CISA
The Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. This means Federal Civilian Executive Branch (FCEB) agencies need to remediate this vulnerability by February 13, 2024 in order to protect their devices against active threats.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
