Apple WebKit zero-day exploit: urgent patch now

Apple WebKit zero-day exploit is currently tearing through unpatched iPhones and Macs, and the window to fix it is closing fast. A new wave of attacks leveraging the previously disclosed CVE-2024-27818 vulnerability surfaced just 48 hours ago, according to telemetry data shared by several threat intelligence firms. This isn’t a theoretical proof of concept. This is a live fire campaign hitting enterprise networks and high value targets right now. If you haven’t updated your devices to iOS 17.5, macOS Sonoma 14.5, or later, you are effectively handing an attacker the keys to your system.

The Return of the Ghost: How CVE-2024-27818 Escaped the Patch Grave

Let’s get one thing straight. This Apple WebKit zero-day exploit was supposedly patched in May 2024. Apple’s security advisory HT214117 at the time warned of “arbitrary code execution” and noted that the company was “aware of a report that this issue may have been actively exploited.” Fast forward to this week, and researchers at Mandiant and Volexity have independently confirmed that the exploit code has been modified, repackaged, and is now being used in a new, targeted campaign that bypasses the original fix. The irony is not lost on anyone watching the patch management merry go round.

“What we are seeing is a sophisticated re engineering of the original exploit chain. The initial vulnerability was a type confusion issue in WebKit’s memory management. The patch only partially mitigated the attack surface. Attackers found a way to trigger the same corruption through a different code path.” — paraphrased from a Mandiant threat analysis published this morning.

The original vulnerability, CVE-2024-27818, allowed a remote attacker to execute arbitrary code on a victim’s device just by tricking them into visiting a malicious website. No additional user interaction required beyond a single tap on a link. The newly observed variant uses a carefully crafted PDF file disguised as a tax document, then embedded in a web page served via a compromised legitimate domain. Once the page renders in Safari, the Apple WebKit zero-day exploit activates, installing a persistent backdoor that communicates with a command and control server mimicking a legitimate CDN.

Under the Hood: The Memory Corruption Mechanics

Here is the part they didn’t put in the security advisory. The exploit exploits a specific flaw in WebKit’s JavaScriptCore engine, specifically in how it handles object type transitions during just in time (JIT) compilation. When the JIT compiler optimizes a loop that iterates over an array of mixed types, it can incorrectly assume a consistent object layout. The attacker crafts a set of JavaScript objects that confuse the type inference system. The result? A out of bounds memory write that corrupts a critical pointer in the browser’s renderer process.

Let’s break down the assembly code here, because it matters. The corrupted pointer allows the attacker to chain together a series of reads and writes to bypass Address Space Layout Randomization (ASLR). Once ASLR is defeated, the exploit maps a shellcode payload into executable memory. The entire chain, from page load to remote code execution, happens in under two seconds on an iPhone 14 running iOS 17.4 (the version before the patch). Devices running iOS 17.5 with the full patch stack are reportedly immune to this specific variant, but the new campaign targets devices that never applied the update in the first place. And there are millions of them.

Why This Apple WebKit Zero-Day Exploit Matters More Than the Last One

Security fatigue is real. Every few months Apple ships an emergency patch for a WebKit zero-day. The industry yawns, admins roll their eyes, and many users simply ignore the update prompt. That complacency is exactly what this new campaign exploits. According to CISA’s Known Exploited Vulnerabilities catalog entry for CVE-2024-27818 (added May 15, 2024), the vulnerability was already being exploited in targeted attacks before the patch was released. The current wave is not a copycat; it’s an evolution. The attackers have swapped out the delivery mechanism and updated the exploit code to evade detection by signature based antivirus and endpoint detection tools that learned the old behavior.

But wait, it gets worse. Enterprise IT teams that use mobile device management (MDM) to enforce OS versions often approve patch cadences based on a two week evaluation window. That window is now a liability. The threat actors behind this campaign are scanning the internet for unpatched devices, specifically targeting corporate devices that display specific user agent strings indicative of older iOS builds. A security operations center (SOC) analyst at a Fortune 500 company told me off the record: “We have 1,200 unpatched iPhones in our fleet right now. The MDM team is on a one week delay for compliance testing. That delay just cost us a data breach.”

The Skeptic’s View: Apple’s Opaque Vulnerability Disclosure Process

Security researchers have long grumbled about Apple’s sparse advisories. The HT214117 entry for CVE-2024-27818 contains exactly one sentence of description. No known attack patterns. No attribution. No CVE credit to the researcher who reported it. Compare that to Microsoft’s detailed threat actor naming and attack chain breakdowns. The lack of transparency makes it difficult for the broader security community to build effective detections before the criminals reverse engineer the patch. As one independent iOS researcher put it: “Apple treats zero-days like a dirty secret. Meanwhile, the exploit brokers are selling iOS jailbreaks for seven figures. The asymmetry is staggering.”

“The Apple WebKit zero-day exploit ecosystem is a black hole. Apple patches silently, attackers reverse the fix in hours, and users get burned. If Apple published the technical details proactively, we could build rules to block the attack before the patch is even deployed.” — paraphrased from a blog post by a researcher at the Objective-See Foundation (July 2024).

That critique is not just academic. The new campaign uses a technique called “patch gap exploitation.” The attackers monitored the binary diff between the patched WebKit in iOS 17.5 and the vulnerable version in iOS 17.4. By analyzing the changed code, they identified the exact lines that fixed the type confusion bug. Then they constructed a different JavaScript sequence that triggers the same memory corruption without hitting the patched check. This is a cat and mouse game that Apple is losing because their patches are not holistic; they fix one symptom while leaving the underlying architectural weakness untouched.

The Trail of Breadcrumbs: Who Is Behind the Latest Attacks?

Attribution is always muddy with web based zero-days, but the infrastructure used in this campaign shows fingerprints of a known state sponsored group tracked as “LightBasin” or “UNC1945” by different firms. These are the same actors previously linked to attacks on telecommunications companies and financial services across Southeast Asia and the Middle East. The command and control domains used in the current wave were registered eight months ago using a fake US based LLC, and they share SSL certificate patterns with earlier campaigns attributed to Chinese intrusion sets.

The targets are not random. According to telemetry shared by CrowdStrike, the Apple WebKit zero-day exploit is primarily hitting individuals in government ministries, defense contractors, and telecom infrastructure engineers. The payload dropped after exploitation is a custom implant that exfiltrates credentials from the iOS keychain and also captures screenshots of the device display every 30 seconds. This is not a spyware app that sits in the background quietly. It is a high volume, aggressive tool designed to scoop up sensitive data in real time.

Here is a brief timeline of the current threat based on logs shared by Volexity:

• Aug 10, 2024: First observed phishing email with a link to a PDF tax document hosted on a compromised university .edu domain.
• Aug 11, 2024: Multiple security vendors detect anomalous outbound connections from iOS devices to an IP range registered in Hong Kong.
• Aug 12, 2024: Apple remains silent. No revised advisory, no emergency update. The original CVE-2024-27818 patch is still the only defense.

The silence from Cupertino is puzzling. Apple typically issues a follow up advisory when a previously patched zero-day resurfaces in modified form. In this case, they have not. This leaves enterprise defenders in a difficult position: they must assume that the original patch is insufficient, but they have no official guidance on additional mitigation steps. The only safe bet is to block all WebKit rendering on unpatched devices, which for many organizations means breaking their internal web apps that rely on Safari WebView.

What You Can Do Right Now That Apple Won’t Tell You

If you are reading this on a device that has not been updated to iOS 17.5 or macOS Sonoma 14.5, stop reading and update. Seriously. Do it now. The Apple WebKit zero-day exploit will not wait for you to finish this paragraph. After updating, there are additional steps that security teams should take to harden against this specific campaign:

• Block all PDF downloads from untrusted sources on your web proxy. The exploit is currently delivered via a malicious PDF that triggers the WebKit rendering when the browser attempts to display it inline.
• Disable Safari’s “Open safe files” setting on managed devices. This prevents automatic rendering of PDFs and other documents in the browser.
• Enforce a zero trust policy for all iOS devices accessing corporate resources. Assume that any unpatched device is compromised.
• Review DNS logs for connections to domains ending in .vip and .click that were registered in 2024. The current C2 infrastructure uses these TLDs.

The Kicker: We Are All Beta Testers

This Apple WebKit zero-day exploit saga underscores a painful truth: the tech industry’s patch model is broken. Users are left to play whack a mole with their own digital safety while vendors ship updates that only partially address the root cause. The attackers don’t have to be perfect; they just have to be faster than the users who ignore update notifications. Meanwhile, Apple’s walled garden approach, once marketed as a security advantage, now looks like a liability. The garden walls are crumbling, and the wild animals are inside.

The next time you swipe away that “Update Available” notification, ask yourself this: What piece of your life are you willing to lose in the two seconds it takes a zero day to execute?.