CVE-2024-44155: 
Apple Safari vulnerability analysis and mitigation

A custom URL scheme handling vulnerability (CVE-2024-44155) was discovered affecting multiple Apple products including Safari 18, iOS 17.7.1, iPadOS 17.7.1, macOS Sequoia 15, watchOS 11, iOS 18, and iPadOS 18. The vulnerability was disclosed on October 28, 2024, and was identified by Narendra Bhati, Manager of Cyber Security at Suma Soft Pvt. Ltd, Pune (India) (Apple Support).

The vulnerability stems from a custom URL scheme handling issue that could allow maliciously crafted web content to violate iframe sandboxing policy. The issue was addressed with improved input validation. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N, indicating network attack vector, low attack complexity, no privileges required, and user interaction required (NVD).

If exploited, this vulnerability could allow maliciously crafted web content to bypass iframe sandboxing policy, potentially compromising the integrity of web content isolation mechanisms. The CVSS scoring indicates high impact on integrity while maintaining no impact on confidentiality or availability (NVD).

Apple has addressed this vulnerability by implementing improved input validation in the affected products. Users are advised to update to Safari 18, iOS 17.7.1, iPadOS 17.7.1, macOS Sequoia 15, watchOS 11, or iOS/iPadOS 18 to protect against this vulnerability (Apple Support).