CVE-2024-44240: 
macOS vulnerability analysis and mitigation

CVE-2024-44240 is a security vulnerability affecting multiple Apple operating systems including tvOS 18.1, iOS 18.1, iPadOS 18.1, iOS 17.7.1, iPadOS 17.7.1, macOS Ventura 13.7.1, macOS Sonoma 14.7.1, watchOS 11.1, and visionOS 2.1. The vulnerability was discovered by Hossein Lotfi of Trend Micro Zero Day Initiative and was publicly disclosed on October 28, 2024 (Apple Advisory).

The vulnerability exists in the CoreText component of Apple's operating systems, where processing a maliciously crafted font may result in the disclosure of process memory. The issue was addressed with improved checks. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (MEDIUM) with vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N by NIST NVD, and a score of 6.5 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N by CISA-ADP (NVD).

The vulnerability allows disclosure of process memory when processing a maliciously crafted font. This could potentially lead to exposure of sensitive information stored in the application's memory (Apple Advisory).

Apple has addressed this vulnerability by implementing improved checks in the following software updates: tvOS 18.1, iOS 18.1 and iPadOS 18.1, iOS 17.7.1 and iPadOS 17.7.1, macOS Ventura 13.7.1, macOS Sonoma 14.7.1, watchOS 11.1, and visionOS 2.1. Users are advised to update their devices to these versions to protect against this vulnerability (Apple Advisory).