CVE-2024-40836: iOS allows running scripts from shortcuts but making protecting your data difficult! (July 29, 2024)

CVE-2024-40836: iOS allows running scripts from shortcuts but making protecting your data difficult! (July 29, 2024)

Preface: A shortcut is usually implemented as a small file that contains the target URI or GUID of the object, or the name of the target program file that the shortcut represents. Shortcuts can also specify parameters to be passed to the target program when executed.

Background: After you’ve allowed a shortcut access to a web page, Shortcuts takes an extra step to further protect you from potentially malicious scripts by periodically downloading updated malware definitions. Before interacting with a web page, Shortcuts analyses the JavaScript, then consults the malware definitions. Based on this evaluation, Shortcuts is instructed to allow the script, to deny the script, or to display an additional prompt before allowing the shortcut to run.

Vulnerability details: A logic issue was addressed with improved checks. This issue is fixed in watchOS 10.6, macOS Sonoma 14.6, iOS 17.6 and iPadOS 17.6, iOS 16.7.9 and iPadOS 16.7.9. A shortcut may be able to use sensitive data with certain actions without prompting the user.

Official announcement: Please refer to the official announcement for details – https://nvd.nist.gov/vuln/detail/CVE-2024-40836

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.