CVE-2024-23222: Apple’s First Zero-Day Flaw of the Year

Apple has unfurled security updates to confront the year’s inaugural zero-day vulnerability, a menacing shadow looming over iPhones, Macs, and Apple TVs alike. This zero-day, tracked as CVE-2024-23222, lies within WebKit, and if exploited, could allow threat actors to execute arbitrary malicious code on unpatched devices.

“Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited,” Apple said.

Intriguingly, the origins of CVE-2024-23222 remain shrouded in mystery. Apple’s acknowledgment of the vulnerability’s exploitation in the wild comes without the attribution typically extended to the discoverers of such security flaws.

In response, Apple addressed CVE-2024-23222 by enhancing checks. The updates—spanning iOS 16.7.5 and later, iPadOS 16.7.5 and beyond, macOS Monterey 12.7.3 and upwards, as well as tvOS 17.3 and subsequent versions—safeguard an extensive list of devices from the iPhone 8 to the latest Apple TV 4K models.

This flaw affects the following devices:

• iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation
• iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later
• Macs running macOS Monterey and later
• Apple TV HD and Apple TV 4K (all models)

While this zero-day’s exploitation may have been restricted to targeted attacks, Apple strongly advises all users to install the security updates promptly to thwart potential attempts. Additionally, Apple has released patches for two older WebKit zero-days (CVE-2023-42916, CVE-2023-42917) previously addressed in November.