March 26, 2024 at 08:48AM
Apple has issued security updates for iOS and macOS to fix an arbitrary code execution vulnerability affecting CoreMedia and WebRTC components. This issue, also impacting the dav1d AV1 decoder, can lead to memory corruption and arbitrary code execution. The company credited Google Project Zero researcher Nick Galloway for reporting the bug. Users are urged to update their devices immediately.
Based on the meeting notes, the key takeaways are as follows:
1. Apple has released fresh security updates for iOS and macOS devices to address an arbitrary code execution vulnerability. This issue, tracked as CVE-2024-1580, impacts the CoreMedia and WebRTC components and could be triggered during image processing.
2. The vulnerability also affects the dav1d open source AV1 cross-platform decoder and was resolved in dav1d version 1.4.0 in February.
3. Apple has included patches for the bug in iOS and iPadOS 17.4.1, iOS and iPadOS 16.7.7, visionOS 1.1.1, macOS Sonoma 14.4.1, macOS Ventura 13.6.6, and Safari 17.4.1 (for macOS Monterey and macOS Ventura).
4. The company has credited Google Project Zero researcher Nick Galloway for reporting the bug.
5. Although the vulnerability is rated as medium severity and there are no reports of it being exploited in attacks, Apple’s release of security updates suggests that users should patch their devices immediately.
6. More information on the patches can be found on Apple’s security releases page.
Please let me know if there is anything else you would like to add or clarify.