Apple has patched an actively exploited zero-day bug in its WebKit browser engine for Safari.
The bug, assigned as CVE-2024-23222, stems from a sort confusion error, which mainly is what occurs when an software incorrectly assumes the enter it receives is of a sure sort with out really validating — or incorrectly validating — that to be the case.
Actively Exploited
Apple yesterday described the vulnerability as one thing an attacker might exploit to execute arbitrary code on affected programs. “Apple is conscious of a report that this difficulty could have been exploited,” the corporate’s advisory famous, with out providing any additional particulars.
The corporate has launched up to date variations of iOS, iPadOS, macOS, iPadOS, and tvOS with further validation checks to handle the vulnerability.
CVE-2024-23222 is the primary zero-day vulnerability that Apple has disclosed in WebKit in 2024. Final yr, the corporate disclosed a complete of 11 zero-day bugs within the expertise — its most ever in a single calendar yr. Since 2021, Apple has disclosed a complete of twenty-two WebKit zero-day bugs, highlighting the rising curiosity within the browser from each researchers and attackers.
In parallel, Apple’s disclosure of the brand new WebKit zero-day follows on Google’s disclosure final week of a zero-day in Chrome. It marks at the very least the third time in latest months the place each distributors have disclosed zero-days of their respective browsers in shut proximity to one another. The development means that researchers and attackers are probing virtually equally for flaws in each applied sciences, doubtless as a result of Chrome and Safari are additionally probably the most broadly used browsers.
The Spying Menace
Apple has not disclosed the character of the exploit exercise concentrating on the newly disclosed zero-day bug. However researchers have reported seeing business adware distributors abusing among the firm’s more moderen ones, to drop surveillance software program on iPhones of goal topics.
In September 2023, Toronto College’s Citizen Lab warned Apple about two no-click zero-day vulnerabilities in iOS {that a} vendor of surveillance software program had exploited to drop the Predator adware device on an iPhone belonging to an worker at a Washington, D.C.-based group. The identical month, Citizen Lab researchers additionally reported a separate zero-day exploit chain — which included a Safari bug — that they had found concentrating on iOS units.
Google has flagged comparable considerations in Chrome, virtually in tandem with Apple, on a couple of events lately. In September 2023, as an example, close to the identical time Apple disclosed its zero-day bugs, researchers from Google’s risk evaluation group recognized a business software program firm referred to as Intellexa as growing an exploit chain — which included a Chrome zero-day (CVE-2023-4762) — to put in Predator on Android units. Only a few days earlier, Google had disclosed one other zero-day in Chrome (CVE-2023-4863) in the identical picture processing library wherein Apple had disclosed a zero-day.
Lionel Litty, chief safety architect at browser safety agency Menlo Safety, says it is onerous to say if there’s any connection between Google and Apple’s first browser zero-days for 2024, given the restricted info at present out there. “The Chrome CVE was within the JavaScript engine (v8) and Safari makes use of a distinct JavaScript engine,” Litty says. “Nevertheless, it’s not unusual for various implementations to have very comparable flaws.”
As soon as attackers have discovered a comfortable spot in a single browser, they’re additionally recognized to probe different browsers in the identical space, Litty says. “So, whereas it is unlikely that that is the very same vulnerability, it would not be too stunning if there was some shared DNA between the 2 in-the-wild exploits.”
Explosion in Zero-Hour Browser-Primarily based Phishing Assaults
Surveillance distributors are, by far, not the one ones making an attempt to take advantage of browser vulnerabilities and browsers usually. Based on a soon-to-be-released report from Menlo Safety, there was a 198% improve in browser-based phishing assaults within the second half of 2023 in comparison with the primary six months of the yr. Evasive assaults — a class that Menlo describes as utilizing methods to evade conventional safety controls — surged even increased, by 206%, and accounted for 30% of all browser-based assaults within the second half of 2023.
Over a 30-day interval, Menlo says it noticed greater than 11,000 so-called “zero-hour” browser-based phishing assaults evade Safe Internet Gateway and different endpoint risk detection instruments.
“The browser is the enterprise software enterprises cannot dwell with out, however it has fallen behind from a safety and manageability perspective,” Menlo mentioned within the upcoming report.
