Apple Safari Zero-Day Flaw Exploited At Pwn2Own : Patch Now

Apple has released security updates to address a zero-day vulnerability in its Safari web browser that was exploited during this year’s Pwn2Own Vancouver hacking competition. 

This issue, identified as CVE-2024-27834, was fixed by enhanced checks on macOS Monterey and macOS Ventura systems. 

Master of Pwn winner Manfred Paul reported this vulnerability in collaboration with Trend Micro’s Zero Day Initiative.

Details Of The Apple Safari Zero-Day Flaw

The vulnerability in Safari WebKit is identified as CVE-2024-27834, where an attacker with arbitrary read and write capability may be able to bypass the pointer authentication.

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

“An attacker with arbitrary read and write capability may be able to bypass Pointer Authentication,” Apple said.

If this vulnerability is successfully exploited, an attacker may be able to bypass security measures, possibly gaining unauthorized access to the system or running malicious code on it.

During Pwn2Own, Manfred Paul used an integer underflow flaw to obtain remote code execution (RCE) and earn $60,000.

This issue is fixed in iOS 17.5 and iPadOS 17.5, tvOS 17.5, Safari 17.5, watchOS 10.5, macOS Sonoma 14.5. 

Update Now!

Update to the latest patched versions of iOS 17.5, iPadOS 17.5, tvOS 17.5, Safari 17.5, watchOS 10.5, or macOS Sonoma 14.5 to mitigate this vulnerability.

Apple released several upgrades for its iOS and macOS operating systems to start the May release cycle. The most noteworthy update for iOS 16.7.8 and iPadOS 16.7.8 addresses CVE-2024-23296.

If you’re using a device with an affected OS, make sure you get the update. This flaw is reportedly under active attack.

On-Demand Webinar to Secure the Top 3 SME Attack Vectors: Watch for Free