Apple Addresses First Vision Pro-Specific Vulnerability
Charles M. Walls | June 11, 2024 | Views: 325
On Monday, Apple rolled out visionOS 1.2, the latest update for its Vision Pro virtual reality headset, addressing several security vulnerabilities. This update includes what might be the first security flaw unique to this product.
The visionOS 1.2 update fixes nearly two dozen vulnerabilities. However, most of these are in components shared with other Apple systems like iOS, macOS, and tvOS.
Alongside this update, Apple also released a new visionOS security advisory and updated the advisories for iOS, macOS, and other systems initially published in May to include the CVEs from the visionOS advisory.
The patched vulnerabilities could potentially lead to arbitrary code execution, information disclosure, privilege escalation, and denial of service (DoS) attacks.
One significant vulnerability, CVE-2024-27812, stands out as it appears to be specific to the Vision Pro headset. This CVE is not listed in any advisories for other Apple products, indicating it's unique to visionOS.
According to Apple, CVE-2024-27812 involves the processing of specially crafted web content, which could be exploited to cause a DoS condition. Apple addressed this issue by improving the file handling protocol.
Ryan Pickren, the cybersecurity researcher credited with reporting this vulnerability, confirmed to SecurityWeek that this is indeed specific to the Vision Pro and believes it represents the "first ever spatial computing hack."
Pickren is currently not permitted to disclose further details until he receives approval from Apple. Notably, he has previously earned substantial bug bounties from Apple and was recently involved in creating malware targeting modern programmable logic controllers (PLCs).