Apple details vulnerability after releasing iOS/iPadOS patch 17.4.1
Take action: Doesn't look like a panic mode patch, but it seems that Apple isn't providing all the details. Because they won't release a fix version "just because". So take an hour off your phone to update it.
Learn More
Apple is providing more information about CVE-2024-1580 (CVSS score 5.9) that is reported to allow remote attackers to execute arbitrary code. This vulnerability was addressed by Apple through updates released for iOS and iPadOS 17.4.1 on March 26, 2024.
The issue stems from an out-of-bounds write in the dav1d AV1 decoding library utilized by Apple's Core Media framework and WebRTC implementation. The discovery of CVE-2024-1580 is credited to a researcher from Google's Project Zero team. The flaw is deemed potentially dangerous by security experts, indicating a cautious approach by Apple in delaying detailed disclosures to prevent exploitation.
The flaw affects multiple devices including:
- iPhone XS and newer,
- iPad Pro (12.9-inch, 2nd generation and later),
- iPad Pro (11-inch, 1st generation and later),
- iPad Air (3rd generation and later),
- iPad mini (5th generation and later).
Users are urged to install the latest iOS and iPadOS updates. Apple has also issued patches for other products like Safari, macOS Sonoma and Ventura, and visionOS software for the Vision Pro headset.
