October 13, 2024 at 02:30PM
Multiple vulnerabilities affecting visionOS 2 on Apple Vision Pro have been addressed in a September 2024 update. Issues include improved checks for root access, race conditions, out-of-bounds reads, cross-origin data exfiltration, denial-of-service risks, and unauthorized Bluetooth access. Users are encouraged to update to enhance security.
**Meeting Takeaways: Security Updates for visionOS 2 on Apple Vision Pro**
– **Release Date**: September 16, 2024
– **Affected Product**: Apple Vision Pro
– **CVE Identifications and Descriptions**:
– **CVE-2024-40825**: Issue resolved with improved checks; may allow a malicious app with root access to modify system files.
– **CVE-2024-27876**: Resolved race condition with improved locking; may permit arbitrary file writing by unpacking a maliciously crafted archive.
– **CVE-2024-40850 & CVE-2024-27880**: Out-of-bounds read addressed via input validation; processing malicious files may lead to app termination.
– **CVE-2024-44176**: Out-of-bounds access fixed with bounds checking; image processing may result in denial-of-service.
– **CVE-2024-44169, CVE-2024-44165, CVE-2024-44187**: Resolved cross-origin issue with “iframe” elements; potential for data exfiltration by malicious websites.
– **CVE-2024-44191**: Improved state management resolved unauthorized Bluetooth access by apps.
– **CVE-2024-44198**: Integer overflow addressed through input validation; malicious web content could crash processes.
– **CVE-2024-44183**: Logic error fixed with improved error handling; apps could potentially cause denial-of-service.
– **CVE-2023-5841**: Open source vulnerability leads to processing issues causing denial-of-service.
– **CVE-2024-44167**: Vulnerable code removed; apps might overwrite arbitrary files.
– **CVE-2024-40790 & CVE-2024-40857**: Issues regarding state management resolved; malicious web content could lead to universal cross-site scripting.
**Next Steps**:
– Ensure the update is communicated widely to users of Apple Vision Pro.
– Monitor any reported issues following the release of the update.
– Evaluate the impact of these vulnerabilities and responses to mitigate future risks.