Apple closes WebKit zero-day in iOS, iPadOS and macOS

Apple has patched a WebKit vulnerability in several of its operating systems, including iOS, iPadOS and macOS. The company says it is aware of reports that this vulnerability has been actively exploited.

Apple released the patch as part of iOS and iPadOS 17.3, macOS 14.3 and tvOS 17.3, according to the manufacturer’s patch notes. According to the tech giant, it is about vulnerability CVE-2024-23222, which allows arbitrary code execution on an affected device. This can happen if the device in question processes ‘maliciously designed’ web content. Apple said it is “aware of a report that this issue may have been exploited.”

Apple’s updates came out Monday evening. In addition to the bug fixes and closed zero days, Apple is adding a new Stolen Device Protection feature with the iOS 17.3 release. Apple previously announced this feature. This should protect users’ personal data if their iPhone is stolen.

The new feature requires users to, among other things, verify their identity with Face ID or Touch ID if they want to view saved passwords in iCloud Keychain. A one-hour wait period will also be added when users want to change their Apple ID password or iPhone PIN or set up new Touch ID or Face ID credentials. This waiting period applies if the device is in an unknown location and therefore not when the iPhone is used at home or at the office. Apple is also adding collaborative playlists to iOS 17.3 and macOS 14.3, allowing Apple Music users to create a shared playlist.

Stolen Device Protection in iOS 17.3. Image: Apple, Wall Street Journal