Apple has rolled out security updates to tackle a zero-day vulnerability in its Safari web browser, exploited during this year’s Pwn2Own Vancouver hacking contest.
Known as CVE-2024-27834, this issue has been resolved through strengthened checks on macOS Monterey and macOS Ventura systems.
The Master of Pwn winner, Manfred Paul, disclosed this vulnerability in partnership with Trend Micro’s Zero Day Initiative.
Apple Safari Zero-Day Flaw
The Safari WebKit vulnerability, tagged as CVE-2024-27834, allows attackers with arbitrary read and write capability to potentially bypass pointer authentication.
“An attacker with arbitrary read and write capability may bypass Pointer Authentication,” stated Apple.
Exploiting this vulnerability could enable attackers to circumvent security measures, potentially leading to unauthorized system access or execution of malicious code.
At Pwn2Own, Manfred Paul utilized an integer underflow flaw to achieve remote code execution (RCE) and was awarded $60,000.
This issue has been addressed in the following updates: iOS 17.5 and iPadOS 17.5, tvOS 17.5, Safari 17.5, watchOS 10.5, and macOS Sonoma 14.5.
Patch Update
To mitigate this vulnerability, update to the latest versions: iOS 17.5, iPadOS 17.5, tvOS 17.5, Safari 17.5, watchOS 10.5, or macOS Sonoma 14.5.
Apple’s May release cycle introduces crucial upgrades for iOS and macOS. Notably, iOS 16.7.8 and iPadOS 16.7.8 tackle CVE-2024-23296.
If your device runs on an affected OS, promptly install the update, as this flaw is reportedly under active attack.
Leave A Comment