Apple’s first zero-day of 2024 has been disclosed, with fixes pushed out for MacOS, iOS, and iPadOS.
Apple’s description of CVE-2024-23222 states only that the bug is a type confusion in Webkit, and that the company “is aware of a report that this issue may have been exploited”.
“Processing maliciously crafted web content may lead to arbitrary code execution”, Apple noted.
Fixes have been published for iPhones and iPads, and Macs running macOS Ventura and Monterey.
Apple also applied a patch to a critical-rated bug in the curl URL retrieval library that was first disclosed during 2023.
CVE-2023-38545 (CVSS score 9.8) is a heap-based buffer overflow during the SOCKS5 proxy handshake, described in detail by the curl project here.
It’s one of four curl bugs updated in Ventura and Monterey by updating to curl version 8.4.0.
Other fixes in the security roll-up plug bugs in the Apple Neural Engine, accessibility features, core data, finder, ImageIO, the login window, Apple Mail search, and the NSOpenPanel function in AppKit.