About the security content of visionOS 2.1 – Apple Support

About the security content of visionOS 2.1 - Apple Support

October 28, 2024 at 12:06PM

Apple has released updates for visionOS 2.1 on Apple Vision Pro addressing various security vulnerabilities. These include improved handling of symlinks, memory management, and path handling issues that could lead to unauthorized access, information disclosure, or system crashes. The update is available as of October 28, 2024.

### Meeting Takeaways

#### Overview:
The meeting focused on the security updates related to visionOS 2.1 for the Apple Vision Pro, detailing various vulnerabilities that have been addressed with improvements in logic, handling, and memory management. The release date for these updates is set for October 28, 2024.

#### Key Security Vulnerabilities Addressed:

1. **CVE-2024-44255**
– **Description**: Improved path handling logic.
– **Impact**: Malicious apps may run arbitrary shortcuts without user consent.

2. **CVE-2024-44273**
– **Description**: Improved handling of symlinks.
– **Impact**: Malicious apps may access private information.

3. **CVE-2024-44240 & CVE-2024-44302**
– **Description**: Improved checks on crafted fonts.
– **Impact**: Possible disclosure of process memory.

4. **CVE-2024-44282 & CVE-2024-44215**
– **Description**: Improved checks on image processing.
– **Impact**: Possible disclosure of process memory.

5. **CVE-2024-44297**
– **Description**: Improved bounds checks.
– **Impact**: Potential denial-of-service through malicious messages.

6. **CVE-2024-44285**
– **Description**: Addressed a use-after-free issue.
– **Impact**: Possible unexpected system termination or kernel memory corruption.

7. **CVE-2024-44239**
– **Description**: Improved private data redaction for logs.
– **Impact**: Possible leakage of sensitive kernel state.

8. **CVE-2024-44262**
– **Description**: Improved sensitive information redaction.
– **Impact**: Ability for users to view sensitive information.

9. **CVE-2024-44258 & CVE-2024-44252**
– **Description**: Improved handling and logic for restoring backup files.
– **Impact**: Possible modification of protected system files.

10. **CVE-2024-44277**
– **Description**: Improved memory handling.
– **Impact**: Possible unexpected system termination or kernel memory corruption.

11. **CVE-2024-44259**
– **Description**: Improved state management.
– **Impact**: Possible misuse of trust relationships to download malicious content.

12. **CVE-2024-44229**
– **Description**: Additional validation for information leakage.
– **Impact**: Private browsing leakage of browsing history.

13. **CVE-2024-44269 & CVE-2024-44194**
– **Description**: Improved sensitive information redaction.
– **Impact**: Access to sensitive user data by apps.

14. **CVE-2024-44278 & CVE-2024-44244**
– **Description**: Improved input validation for memory corruption issues.
– **Impact**: Unexpected crashes from malicious web content processing.

15. **CVE-2024-44296**
– **Description**: Improved checks for web content.
– **Impact**: May prevent enforcing Content Security Policy.

### Conclusion:
The updates will enhance security for the Apple Vision Pro, addressing potential risks that could impact user privacy and system integrity. It is crucial for users to install the upcoming updates promptly to maintain device security.

Full Article