Security
Headlines
HeadlinesLatestCVEs

Headline

Apple Security Advisory 03-07-2024-7

Apple Security Advisory 03-07-2024-7 - visionOS 1.1 addresses buffer overflow, bypass, code execution, and out of bounds read vulnerabilities.

Packet Storm
#vulnerability#web#windows#apple#buffer_overflow#auth#zero_day#webkit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

APPLE-SA-03-07-2024-7 visionOS 1.1

visionOS 1.1 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/kb/HT214087.

Apple maintains a Security Releases page at
https://support.apple.com/HT201222 which lists recent
software updates with security advisories.

Accessibility
Available for: Apple Vision Pro
Impact: An app may be able to spoof system notifications and UI
Description: This issue was addressed with additional entitlement
checks.
CVE-2024-23262: Guilherme Rambo of Best Buddy Apps (rambo.codes)

ImageIO
Available for: Apple Vision Pro
Impact: Processing an image may result in disclosure of process memory
Description: The issue was addressed with improved memory handling.
CVE-2024-23257: Junsung Lee working with Trend Micro Zero Day Initiative

ImageIO
Available for: Apple Vision Pro
Impact: Processing an image may lead to arbitrary code execution
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2024-23258: Zhenjiang Zhao of pangu team and Qianxin

ImageIO
Available for: Apple Vision Pro
Impact: Processing an image may lead to arbitrary code execution
Description: A buffer overflow issue was addressed with improved memory
handling.
CVE-2024-23286: Dohyun Lee (@l33d0hyun)

Kernel
Available for: Apple Vision Pro
Impact: An app may be able to access user-sensitive data
Description: A race condition was addressed with additional validation.
CVE-2024-23235

Kernel
Available for: Apple Vision Pro
Impact: An app may be able to cause unexpected system termination or
write kernel memory
Description: A memory corruption vulnerability was addressed with
improved locking.
CVE-2024-23265: Xinru Chi of Pangu Lab

Kernel
Available for: Apple Vision Pro
Impact: An attacker with arbitrary kernel read and write capability may
be able to bypass kernel memory protections. Apple is aware of a report
that this issue may have been exploited.
Description: A memory corruption issue was addressed with improved
validation.
CVE-2024-23225

Metal
Available for: Apple Vision Pro
Impact: An application may be able to read restricted memory
Description: A validation issue was addressed with improved input
sanitization.
CVE-2024-23264: Meysam Firouzi @R00tkitsmm working with Trend Micro Zero
Day Initiative

Persona
Available for: Apple Vision Pro
Impact: An unauthenticated user may be able to use an unprotected
Persona
Description: A permissions issue was addressed to help ensure Personas
are always protected
CVE-2024-23295: Patrick Reardon

RTKit
Available for: Apple Vision Pro
Impact: An attacker with arbitrary kernel read and write capability may
be able to bypass kernel memory protections. Apple is aware of a report
that this issue may have been exploited.
Description: A memory corruption issue was addressed with improved
validation.
CVE-2024-23296

Safari
Available for: Apple Vision Pro
Impact: An app may be able to fingerprint the user
Description: The issue was addressed with improved handling of caches.
CVE-2024-23220

UIKit
Available for: Apple Vision Pro
Impact: An app may be able to break out of its sandbox
Description: This issue was addressed by removing the vulnerable code.
CVE-2024-23246: Deutsche Telekom Security GmbH sponsored by Bundesamt
für Sicherheit in der Informationstechnik

WebKit
Available for: Apple Vision Pro
Impact: Processing web content may lead to arbitrary code execution
Description: The issue was addressed with improved memory handling.
WebKit Bugzilla: 259694
CVE-2024-23226: Pwn2car

WebKit
Available for: Apple Vision Pro
Impact: A malicious website may exfiltrate audio data cross-origin
Description: The issue was addressed with improved UI handling.
WebKit Bugzilla: 263795
CVE-2024-23254: James Lee (@Windowsrcer)

WebKit
Available for: Apple Vision Pro
Impact: Processing maliciously crafted web content may prevent Content
Security Policy from being enforced
Description: A logic issue was addressed with improved validation.
WebKit Bugzilla: 264811
CVE-2024-23263: Johan Carlsson (joaxcar)

WebKit
Available for: Apple Vision Pro
Impact: Processing maliciously crafted web content may prevent Content
Security Policy from being enforced
Description: A logic issue was addressed with improved state management.
WebKit Bugzilla: 267241
CVE-2024-23284: Georg Felber and Marco Squarcina

Additional recognition

Kernel
We would like to acknowledge Tarek Joumaa (@tjkr0wn) and 이준성(Junsung
Lee) for their assistance.

Model I/O
We would like to acknowledge Junsung Lee for their assistance.

Power Management
We would like to acknowledge Pan ZhenPeng (@Peterpan0927) of STAR Labs
SG Pte. Ltd. for their assistance.

Safari
We would like to acknowledge Abhinav Saraswat, Matthew C, and 이동하 ( Lee
Dong Ha of ZeroPointer Lab ) for their assistance.

WebKit
We would like to acknowledge Valentino Dalla Valle, Pedro Bernardo,
Marco Squarcina, and Lorenzo Veronese of TU Wien for their assistance.

Instructions on how to update visionOS are available at
https://support.apple.com/kb/HT214009 To check the software version
on your Apple Vision Pro, open the Settings app and choose General >
About.
All information is also posted on the Apple Security Releases
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple’s Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmXqch0ACgkQX+5d1TXa
Ivp/nA//XUiuB8BB/bRbBd0c9z/0DScN1cEWhZaAiWh7HGiOji+HjUv3GocXDHTh
65MqZ3y4C08Qr5qDNzZOnaTUZgbk+h3Pz62SoSS0deI3xp1uNpHsmtSqMh6Qs30I
/IMBpmBuyqoL6w9KBSAubqsrwT/SVQuz67yMCSNUQ27KL3Dymf1JFKf+oaKYTC5R
TRrmZ1yzWkvziGYYsjUR+G+HiwnQza/39sFOu7Eezkv+lqtQcP1v2eFRporxqvDX
QejHf4mUIqNZs9KSe7z2uguRlMTbAaaOFt0UCXHhXXifQK9fmrOP9vKofAiy7S54
NDuSa6gZzKvakC0VxUozGZaFhVocDDbWOBrH6eLI3RTR59sl5RXv4cFTZXp5Xfy4
4xj99QM/zXb75TnPTWPlCJ9E2CfmFtfTRDa7wgZgeRL2dfHihaCV7/p28m8vdOAS
QDbOBlReS27zwOcxVUSo+LcPvymve7ObCUc+ITwHW7V3Uq92mKfYmbv99ovxQGNB
9LAChqBoYfWTbUAfP9/cvY++543CAE5xmzSIfnmFEH04ZA2Fh4Gc6mmo1W3Q24Hx
QwhV1agy52x2t4g+BABQSNkwLDkS9yGj/SNqz1fknVyFoKry0tZAdXGM51PwQvV1
7BnKw3PgU0EZK135spUgfhRBbemWfoISY9t/QqA2RCp9hiEsXZA=
=pp0o
-----END PGP SIGNATURE-----

Related news

Gentoo Linux Security Advisory 202407-13

Gentoo Linux Security Advisory 202407-13 - Multiple vulnerabilities have been discovered in WebKitGTK+, the worst of which could lead to arbitrary code execution Versions greater than or equal to 2.44.0:4 are affected.

Apple Security Advisory 05-13-2024-5

Apple Security Advisory 05-13-2024-5 - macOS Ventura 13.6.7 addresses bypass vulnerabilities.

Apple Security Advisory 05-13-2024-3

Apple Security Advisory 05-13-2024-3 - iOS 16.7.8 and iPadOS 16.7.8 addresses bypass vulnerabilities.

Debian Security Advisory 5684-1

Debian Linux Security Advisory 5684-1 - The following vulnerabilities have been discovered in the WebKitGTK web engine. Kacper Kwapisz discovered that visiting a malicious website may lead to address bar spoofing. Nan Wang and Rushikesh Nandedkar discovered that processing maliciously crafted web content may lead to arbitrary code execution. SungKwon Lee discovered that processing web content may lead to a denial-of-service. Various other issues were also addressed.

Ubuntu Security Notice USN-6732-1

Ubuntu Security Notice 6732-1 - Several security issues were discovered in the WebKitGTK Web and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code execution.

You Should Update Apple iOS and Google Chrome ASAP

Plus: Microsoft patches over 60 vulnerabilities, Mozilla fixes two Firefox zero-day bugs, Google patches 40 issues in Android, and more.

Apple Security Advisory 03-07-2024-6

Apple Security Advisory 03-07-2024-6 - tvOS 17.4 addresses buffer overflow, bypass, and code execution vulnerabilities.

Apple Security Advisory 03-07-2024-5

Apple Security Advisory 03-07-2024-5 - watchOS 10.4 addresses buffer overflow, bypass, and code execution vulnerabilities.

Apple Security Advisory 03-07-2024-4

Apple Security Advisory 03-07-2024-4 - macOS Monterey 12.7.4 addresses buffer overflow, bypass, code execution, and out of bounds write vulnerabilities.

Patch Tuesday, March 2024 Edition

Apple and Microsoft recently released software updates to fix dozens of security holes in their operating systems. Microsoft today patched at least 60 vulnerabilities in its Windows OS. Meanwhile, Apple's new macOS Sonoma addresses at least 68 security weaknesses, and its latest updates for iOS fixes two zero-day flaws.

Update your iPhones and iPads now: Apple patches security vulnerabilities in iOS and iPadOS

Apple has released a security update for iOS and iPadOS to patch two zero-day vulnerabilities which are reported to already have been exploited.

Update your iPhones and iPads now: Apple patches security vulnerabilities in iOS and iPadOS

Apple has released a security update for iOS and iPadOS to patch two zero-day vulnerabilities which are reported to already have been exploited.

Packet Storm: Latest News

Acronis Cyber Protect/Backup Remote Code Execution