Apple has already released a security patch for its Vision Pro headset, just one day after reviews were published.
Apple says the vulnerability "may have been exploited" already by hackers, and it concerns the device's Safari web browser engine, WebKit, which would have allowed threat actors to execute malicious code.
The tech giant patched the same flaw last week in the new iOS 17.3, which fixes not just iPhones and iPads, but also Macs and Apple TV. Apple Watch is still without a patch, however.
Already exploited?
TechCrunch asked Apple spokesperson Scott Radcliffe if the hackers used the flaw to target the Vision Pro specifically, but he "would not say."
It isn't known if the flaw was exploited for sure, but WebKit has proved a popular target for threat actors, such as spyware vendors, as it can give access to personal data and the whole operating system.
Users are at risk of this flaw when they visit dangerous web domains in their browser or via apps. Numerous patches for WebKit were also rolled out last year by Apple.
In January 2023, a flaw in the engine could have let hackers take full control of older iPhones and iPads. And in October of the same year, researchers discovered a way to steal passwords and other data from many Apple devices with A- and M- series chips, via Safari on Macs or any browser on iPhone and iPad, since they all rely on WebKit.
Interestingly, despite Apple requiring all browsers on its mobile devices to run on WebKit, Google Chromium engineers have been testing out the Blink engine on iOS, which powers Chrome in other instances, to see how well it would run, perhaps anticipating that Apple will at some point open the doors beyond WebKit.
