Apple fixes zero-day bug in Apple Vision Pro that ‘may have been exploited’

A day after reporters published their first hands-on review of Apple’s Vision Pro, the technology giant released its first security patch for the mixed reality headset to fix a vulnerability that “may have been exploited” by hackers in the wild.

On Wednesday, Apple released visionOS 1.0.2, the software that runs on the Vision Pro, with a fix for a vulnerability in WebKit, the browser engine that runs Safari and other web apps. Apple said the bug, if exploited, allowed malicious code to run on an affected device.

It’s the same vulnerability that Apple patched last week when it rolled out iOS 17.3, which included fixes for iPhones, iPads, Macs and Apple TV — all of which rely on WebKit. No patches for this bug, officially tracked as CVE-2024-23222, were released for Apple Watch.

It’s not immediately clear if malicious hackers used the vulnerability to specifically exploit Apple’s Vision Pro, and Apple spokesperson Scott Radcliffe would not say when asked by TechCrunch.

It also isn’t yet known who was exploiting the vulnerability, or for what reason.

It is not uncommon for malicious actors, such as spyware makers, to target weaknesses in WebKit as a way to break into the device’s underlying operating system and the user’s personal data. WebKit bugs can sometimes be exploited when a victim visits a malicious domain in their browser, or the in-app browser.

Apple rolled out several patches for WebKit bugs last year.

Vision Pro is expected to be available starting Friday.

I spent the morning with the Apple Vision Pro