Apple on Monday updated visionOS, the operating system powering its Vision Pro virtual reality headset, to version 1.2, which addresses several vulnerabilities, including what may be the first security flaw that is specific to this product.
visionOS 1.2 patches nearly two dozen vulnerabilities. However, a vast majority of them are in components that visionOS shares with other Apple products, such as iOS, macOS and tvOS.
Apple on Monday released the new visionOS security advisory and also updated iOS, macOS, and other advisories initially published in May to add the CVEs from the visionOS advisory.
The vulnerabilities can lead to arbitrary code execution, information disclosure, privilege escalation, and denial of service (DoS).
The vulnerability that stands out is CVE-2024-27812. This appears to be the only CVE that is specific to the Vision Pro headset, as it’s not listed in the advisories for any Apple product other than visionOS.
According to Apple, CVE-2024-27812 is related to the processing of specially crafted web content and exploitation can lead to a DoS condition.
“The issue was addressed with improvements to the file handling protocol,” Apple said in its advisory.
Ryan Pickren, the cybersecurity researcher credited by Apple for reporting this vulnerability, has confirmed for SecurityWeek that this is indeed a Vision Pro-specific vulnerability, and he believes “it is the first ever spatial computing hack”.
Pickren is not allowed to disclose any details until he gets approval from Apple.
The researcher previously earned significant bug bounties from Apple, and was recently part of a team that developed malware designed to target modern programmable logic controllers (PLCs).