Last week, Apple published updates for iOS and iPadOS. At that time, Apple withheld details about the security content of the update. This is typical if future updates for other operating systems will fix the same vulnerability. Apple's operating systems share a lot of code, and specific vulnerabilities are frequently found in all operating systems.

Today, Apple released the corresponding macOS updates and with that delivered the missing security details.

A total of two vulnerabilities are being patched. They affect macOS (14 and 13), iOS/iPadOS (16 and 17), and the brand new visionOS.

CVE-2024-1580: An arbitrary code execution vulnerability that could be triggered by processing a crafted image.

CVE-2024-1580: An arbitrary code execution vulnerability that could also be triggered by processing an image.

Note: this is not a typo above. There is only one CVE, but Apple shows two distinct vulnerabilities. The reason is that this is the same issue that happened in two different components.

The most likely attack vector for either vulnerability is a malicious image loaded from a website or an email. However, many other components that parse and display image files could be vulnerable. CoreMedia and WebRTC are used almost always by software processing images.

No exploit was made public, but bot were reported by the Google Project Zero and one can expect more details from Google soon.

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|