Article Details

Apple fixes first zero-day bug exploited in attacks this year. Apple released security updates to address this year's first zero-day vulnerability exploited in attacks that could impact iPhones, Macs, and Apple TVs. The zero-day fixed today is tracked as CVE-2024-23222 [iOS, macOS, tvOS] and is a WebKit confusion issue that attackers could exploit to gain code execution on targeted devices. Successful exploitation enables threat actors to execute arbitrary malicious code on devices running vulnerable iOS, macOS, and tvOS versions after opening a malicious web page. "Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited," Apple said today. The company has yet to attribute the discovery of this security vulnerability to a security researcher. Although the company disclosed that it's aware of in-the-wild exploitation, it has yet to publish further details regarding these attacks. Apple addressed CVE-2024-23222 with improved checks in iOS 16.7.5 and later, iPadOS 16.7.5 and later, and macOS Monterey 12.7.3 and higher, as well as on tvOS 17.3 and later. The complete list of devices impacted by this WebKit zero-day is quite extensive, as the bug affects older and newer models, including: While this zero-day vulnerability was likely only used in targeted attacks, installing today's security updates as soon as possible is highly advised to block potential attack attempts. Today, Apple also backported patches to older iPhone and iPad models for two other WebKit zero-days (CVE-2023-42916 and CVE-2023-42917) patched in November. Last year, the company fixed a total of 20 zero-day flaws exploited in the wild, including: