Apple fixes actively exploited WebKit zero-day (CVE-2024-23222)

Apple has fixed an actively exploited zero-day vulnerability (CVE-2024-23222) that affects Macs, iPhones, iPads and AppleTVs.

About CVE-2024-23222

CVE-2024-23222 is a type confusion issue that affects WebKit – Apple’s browser engine used in the Safari web browser and all iOS and iPadOS web browsers.

“Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited,” Apple noted in the software release notes.

The company has not shared further details about the attacks.

Update now!

It is likely that the vulnerability has been exploited in targeted attacks, but all users are urged to update their devices to the latest OS versions as soon as possible.

The issue was addressed with improved checks in:

• Safari 17.3 – For Macs running macOS Monterey and macOS Ventura
• iOS 17.3 and iPadOS 17.3 – For iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later
• iOS 16.7.5 and iPadOS 16.7.5 – For iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation
• macOS Sonoma 14.3 – For Macs running macOS Sonoma
• macOS Ventura 13.6.4 – For Macs running macOS Ventura
• macOS Monterey 12.7.3 – For Macs running macOS Monterey
• tvOS 17.3 – For Apple TV HD and Apple TV 4K (all models)

Apple has also finally backported patches for previously exploited zero-days (CVE-2023-42916 and CVE-2023-42917) to iOS 15.8.1 and iPadOS 15.8.1 for older iPhones and iPads.

In this round of security updates, the company has also addressed several vulnerabilities affecting Apple Watch Series 4 and later, urging customers to update to watchOS 10.3.