Security researchers have discovered a type confusion issue in several Apple software versions, which may result in memory corruption when processing maliciously crafted web content. The issue has been assigned the CVE identifier CVE-2024-54505. Apple has addressed this vulnerability with improved memory handling in their latest software updates.

The affected software versions include iPadOS 17.7.3, watchOS 11.2, visionOS 2.2, tvOS 18.2, macOS Sequoia 15.2, Safari 18.2, iOS 18.2, and iPadOS 18.2. Users are advised to update their software to the latest versions as soon as possible to protect against potential exploitation of this vulnerability.

Exploit Details

The CVE-2024-54505 vulnerability is caused by a type confusion issue in the way certain Apple software handles memory when processing web content. An attacker may exploit this vulnerability by crafting malicious web content that triggers the type confusion issue, leading to memory corruption and potentially further exploitation.

An example of a code snippet that could trigger the vulnerability is shown below

<script>
  function createObject() {
    return new MyObject();
  }

  function triggerVulnerability() {
    let obj1 = createObject();
    let obj2 = new AnotherObject();

    // Type confusion may occur here, leading to memory corruption
    obj1.property = obj2;
  }

  triggerVulnerability();
</script>

In the above code snippet, the createObject() function returns an object of the MyObject type. The triggerVulnerability() function creates objects of both MyObject and AnotherObject types and attempts to set the property of the obj1 object to the obj2 object, leading to type confusion and memory corruption.

References

Apple officially acknowledges this issue in their security update release notes, and you can find more information on their security updates page:

Apple Security Updates

The CVE details page provides additional information on the vulnerability, its severity, impact, and affected products:

CVE-2024-54505 Details

Users are strongly advised to update their Apple software to the latest versions, which includes the fix for the CVE-2024-54505 vulnerability. The updated software versions are as follows:

iPadOS 18.2 ==> Update to iPadOS 18.3

To ensure your devices and systems remain protected, be sure to stay vigilant when browsing the web and always download updates and patches from official sources.

Conclusion

In conclusion, the CVE-2024-54505 type confusion issue is a critical vulnerability that affects several Apple software versions. Users should prioritize updating their software to the latest versions to protect their devices from potential exploits. By staying informed on the latest security updates and applying them diligently, you can significantly reduce the risk of falling victim to cyberattacks.

Timeline

Published on: 12/12/2024 02:15:31 UTC
Last modified on: 12/13/2024 18:43:13 UTC