Apple swiftly issued a security fix for its Vision Pro headset, responding within a day of critical reviews emerging. Acknowledging potential exploitation by hackers, Apple addressed a vulnerability in the Safari web browser engine, WebKit. This flaw could have enabled malicious code execution.
The tech company had already patched this vulnerability in the recent iOS 17.3 update. Notably, this update not only covers iPhones and iPads but also extends to Macs and Apple TVs. Unfortunately, the Apple Watch remains unprotected, lacking a corresponding patch.
Has the flaw been exploited? TechCrunch questioned Apple’s spokesperson, Scott Radcliffe, who remained tight-lipped about whether hackers specifically targeted the Vision Pro.
While it’s uncertain if the flaw was exploited, WebKit is a prime target for threat actors, like spyware vendors, seeking access to personal data and the entire operating system.
The risk surfaces when users navigate perilous web domains, either through their browsers or apps. Apple, in response, rolled out multiple patches for WebKit last year.
In January 2023, a flaw allowed potential control over older iPhones and iPads. Later, in October of the same year, researchers found a method to pilfer passwords and data from Apple devices with A- and M-series chips, via Safari on Macs or any browser on iPhones and iPads, all relying on WebKit.
Interestingly, despite Apple’s requirement for all browsers on its mobile devices to operate on WebKit, Google Chromium engineers experiment with the Blink engine on iOS, potentially anticipating Apple expanding beyond WebKit.
