2024-03-23
Apple Updates for iOS, iPadOS, macOS, and visionOS
On Thursday, March 21, Apple released the following updates: iOS and iPadOS 17.4.1; iOS and iPadOS 16.7.7; and visionOS 1.1.1. On Monday, March 25, Apple released updates for macOS Sonoma (14.4.1) and Ventura (13.6.6). All of the updates fix an out-of-bounds write issue (CVE-2024-1580) in CoreMedia and WebRTC.
Editor's Note
This update patches only one vulnerability (CVE-2024-1580). But this vulnerability affects two different components, CoreMedia and WebRTC.
Johannes Ullrich
CVE-2024-1580, an integer overflow in the dav1d AV1 decoder, has a CVSS score of 5.9. Exploiting the flaw can result in memory corruption within the decoder. While the fix only addresses the two packages, the code was in use across multiple OSes so you need to make sure you're pushing the update to all the affected devices. Apple has not indicated there is exploitation in the wild, but now that the fixes are out, expect reverse engineering to lead to POC exploits soon.