Apple has released patches for two zero-day vulnerabilities, which were exploited by threat actors in the wild. These flaws enable attackers to craft malicious web content, leading to arbitrary code execution and cross-site scripting attacks.
The two-zero days affect a wide range of products, including Macs, iPhones, iPads, Vision Pro, and the Safari browser on MacOS Centura and Sonoma. However, according to Apple's rapid security responses, threat actors have been exploiting the flaws specifically on Intel-based macOS systems.
The first vulnerability, labeled CVE-2024-44308, affects JavaScriptCore, a high-performance JavaScript engine developed by Apple. It allows attackers to craft malicious web content, which, when processed, leads to arbitrary code execution. Apple patches bring improved checks to address this vulnerability.
The second flaw, CVE-2024-44309, is a cookie management issue that enables cross-site scripting attacks. Attackers would also craft malicious web content for that. According to Apple, this issue “was addressed with improved state management.“
Both vulnerabilities are fixed in the following OS versions, released on November 19th, 2024: Safari 18.1.1, iOS 17.7.2, iPadOS 17.7.2, macOS Sequoia 15.1.1, iOS 18.1.1, iPadOS 18.1.1, and visionOS 2.1.1.
“Keeping your software up to date is one of the most important things you can do to maintain your Apple product's security,” Apple says.
The vulnerabilities were reported to Apple by Clément Lecigne and Benoît Sevens of Google's Threat Analysis Group.
Your email address will not be published. Required fields are markedmarked