Apple Security Bug Opens iPhone, iPad to RCE

CVE-2024-1580 allows remote attackers to execute arbitrary code on affected devices.

3 Min Read
Closeup up of the Apple logo and progress bar seen on an iPhone
Source: Tada Images

Apple finally has released more details on the mysterious updates the company silently pushed last week for iOS and iPadOS 17.4.1.

As it turns out, the updates address a new vulnerability in the respective operating systems that allows a remote attacker to execute arbitrary code on affected iPhones and iPads.

Apple iOS and iPadOS products affected by the vulnerable library include iPhone XS and later, iPad Pro 12.9-inch second generation and later, iPad Pro 11-inch first generation and later, iPad Air third generation and later, and iPad mini fifth generation and later. Users of these devices can mitigate the risk from the vulnerability identified as CVE-2024-1580 by installing the new iOS and iPadOS updates.

An Apple Out-of-Bounds Write Issue

CVE-2024-1580 stems from an out-of-bounds write issue in dav1d AV1, an open source library for decoding AV1 video on a wide range of devices and platforms. The two Apple iOS and iPadOS components affected by the vulnerability are its Core Media framework for processing multimedia data on a variety of Apple platforms, and the company's WebRTC implementation for supporting live audio and video feeds streams in mobile apps.

In addition to updating iOS and iPadOS, Apple this week also released updates to address CVE-2024-1580 in other products, including its Safari Web browser, macOS Sonoma and Ventura, and its visionOS software for the company's new Vision Pro headset. Apple's updates come just weeks after the company released iOS 17.4

Apple credited a researcher at Google's Project Zero bug-hunting team for finding and reporting the vulnerability to the company.

Potentially Dangerous Flaw?

Security researcher Paul Ducklin identified Apple's hesitation to release details of the flaw last week as a sign that the company likely assessed the flaw as being dangerous.

"We're guessing, from Apple's purposeful silence when the first fixes came out last week, that the CVE-2024-1580 bug was considered dangerous to document before the patches for other platforms, notably macOS, were published," he wrote in a blog post.

It also suggests that the company considers even the basic information it released on March 26 about CVE-2024-1580 as giving threat actors and researchers enough information to reverse engineer the update and develop a working exploit, Ducklin said. He advised users and organizations using affected devices to immediately update to the newet versions of iOS, iPadOS, macOS, and other affected software.

Google has assessed the bug as a medium severity issue with high attack complexity, noting that an attacker would require only low level privileges to exploit the bug, but would need access to the local network or be physically near a vulnerable system to be successful.

Three Apple Zero-Day Bugs ... So Far

So far in 2024, three of the four zero-day bugs that Google has included in its Project Zero spreadsheet are Apple related. The three bugs include CVE-2024-23222, a remote code execution bug in the WebKit browser engine for Safari, and CVE-2024-23225 and CVE-2024-23296, two kernel vulnerabilities in iOS that attackers were actively exploiting in attacks against iPhone users before Apple had a fix for it.

Google did not respond immediately to a Dark Reading request for more information about the exploitability of the flaw or whether Project Zero researchers have observed any exploit activity targeting the flaw in the wild.

The fourth zero-day that Google has on its Project Zero spreadsheet for 2024 is CVE-2024-0519, an actively attacked memory corruption bug in Chrome that the company patched days before Apple disclosed its WebKit Safari zero-day.

About the Author

Jai Vijayan, Contributing Writer

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights