About the security content of visionOS 1.3 – Apple Support

by

About the security content of visionOS 1.3 - Apple Support

October 15, 2024 at 01:45PM

Apple’s visionOS 1.3 update, available for Apple Vision Pro on July 29, 2024, addresses multiple security vulnerabilities (CVE-2024-27826, CVE-2024-40799, etc.) involving improved memory handling, bounds checking, and locking methods. These issues could lead to unexpected system shutdowns, app terminations, or cross-site scripting attacks.

### Meeting Takeaways

**Release Date:** July 29, 2024
**Affected Product:** Apple Vision Pro (visionOS 1.3)

**Key Vulnerabilities and Remediations:**

1. **CVE-2024-27826**
– **Description:** Improved memory handling.
– **Impact:** Local attackers may cause unexpected system shutdown.

2. **CVE-2024-27804**
– **Description:** Improved memory handling.
– **Impact:** Apps may cause unexpected system termination.

3. **CVE-2024-40799, CVE-2023-6277, CVE-2023-52356, CVE-2024-40806, CVE-2024-40777**
– **Description:** Out-of-bounds access addressed with improved bounds checking.
– **Impact:** Processing malicious files may result in unexpected app termination.

4. **CVE-2024-40784, CVE-2024-27863, CVE-2024-27823**
– **Description:** Race condition addressed with improved locking.
– **Impact:** Attackers in privileged network positions may spoof network packets.

5. **CVE-2024-40788**
– **Description:** Type confusion issue addressed with improved memory handling.
– **Impact:** Local attackers may cause unexpected system shutdown.

6. **CVE-2024-40865**
– **Description:** Addressed by suspending Persona when the virtual keyboard is active.
– **Impact:** Inputs to the virtual keyboard could be inferred from Persona.

7. **CVE-2024-40809, CVE-2024-40812, CVE-2024-40776, CVE-2024-40782, CVE-2024-40779, CVE-2024-40780, CVE-2024-40785**
– **Description:** Improved checks implemented.
– **Impact:** Processing malicious web content may lead to cross-site scripting attacks.

8. **CVE-2024-40789**
– **Description:** Out-of-bounds access issue addressed with improved bounds checking.
– **Impact:** Processing malicious web content may lead to an unexpected process crash.

### Summary
A series of security vulnerabilities have been identified in visionOS 1.3 impacting the Apple Vision Pro, with updates available to address issues related to memory handling, bounds checking, race conditions, and web content processing. All updates aim to mitigate potential risks ranging from system shutdowns to security breaches via cross-site scripting.

Full Article