WebKit vulnerability sparks Apple’s first major security update of 2024

Apple has rolled out a series of patches for multiple vulnerabilities across its ecosystem, among them a critical zero-day discovered in the open source WebKit browser engine that forms the underpinnings of the Safari web browser.

The vulnerability in question is tracked as CVE-2024-23222, and it has already been added to the US Cybersecurity and Infrastructure Security Agency’s (CISA’s) Known Exploited Vulnerabilities (KEV) list, meaning it could be particularly impactful. Apple said it was “aware of a report that this issue may have been exploited”.

CVE-2024-2322 is a type confusion issue in which processing maliciously crafted web content may enable a threat actor to achieve arbitrary code execution on the victim’s device.

The patch covers a vast range of Apple devices, from iPhones and iPads to Macs, and even Apple TVs. A full breakdown of affected devices and operating system versions is available from Apple.

Commenting on the zero-day, Alan Bavosa, vice-president of security products at AppDome, a specialist in mobile app defence across both iOS and Android devices, said: “The Apple security vulnerability CVE-2024-23222 and its exploitation in iOS 17.3 is concerning.

“The recognised potential attack vectors, encompassing remote code execution, spyware, and kernel exploits, underscore the severity of this threat in the realm of mobile security as they could allow attackers to gain total control over iOS devices and compromise any unprotected apps or accounts running on the device,” he said.

Apple is traditionally tight-lipped about vulnerabilities in its products, rarely offering more than barebones information to prevent more threat actors from attempting exploitation, and this is again the case for its first major security update of the year – the firm offered no further information as to the extent of exploitation, or whom might be behind it.

In the past, zero-days affecting its products, particularly iPhones, have often been exploited by mercenary spyware companies that operate as legitimate business while selling their products and services to government customers who use them to spy on persons of interest, such as activists, journalists and political rivals.

The most famous recent example of this is Pegasus, a malware developed by disgraced Israeli firm NSO Group and which was implicated in the 2018 murder of Washington Post journalist and Saudi dissident Jamal Khashoggi in Türkiye.

In related news, a lawsuit against NSO, which Apple filed in November 2021, moved forward in Apple’s favour this week when a US judge denied NSO’s request to dismiss the case in favour of a trial in Israel. NSO had argued that it would face more challenges if a trial moved forward in the US than it would in its home country.

In his ruling, Judge James Donato also affirmed Apple’s basis for suing over violations of the US Computer Fraud and Abuse Act, and California’s Unfair Competition Law.

NSO has been given until Valentine’s Day, 14 February, to answer Apple’s complaint, with a further case management hearing scheduled for April.

Apple spokespeople told reporters that it would continue its work to protect users from mercenary spyware developers.