Apple has swiftly released fresh security updates for iOS and macOS devices to address a critical arbitrary code execution vulnerability tracked as CVE-2024-1580. The vulnerability, involving an integer overflow leading to out-of-bounds write, affects the CoreMedia and WebRTC components and could be triggered during image processing. Notably, this security defect is not exclusive to Apple’s products, as it also impacts the dav1d open source AV1 cross-platform decoder and was resolved in dav1d version 1.4.0 in February. Apple warns that exploitation of this vulnerability could lead to arbitrary code execution during image processing and has taken steps to address it by implementing improved input validation techniques.
The released security patches encompass various Apple products, including iOS, iPadOS, visionOS, macOS Sonoma, macOS Ventura, and Safari, aiming to mitigate the potential risk associated with the identified vulnerability. Google Project Zero researcher Nick Galloway is credited with reporting the bug, accompanied by providing a technical writeup and proof-of-concept (PoC) code demonstrating the issue. Although the vulnerability is categorized as medium-severity and has not been reported as exploited in attacks, Apple’s prompt release of security updates highlights the importance of users taking immediate action to patch their devices, considering the potential impact on integrity and the risk of exploitation from the network with low privileges and no user interaction.
