Friday, April 25, 2025

M&S Systems Still Down Days After Cybersecurity Breach

Digital ID Industry Advocates for Revisions to Government Data Regulations

Hitachi Vantara Introduces VSP One as Leader in Revamped Storage Portfolio

Financially Driven Cybercrime Continues to be the Leading Threat Source

Revamp Authentication to Ease User Experience

Investigatory Powers Tribunal Lacks Authority to Award Costs Against PSNI for Evidence Failures

Ofcom Prohibits Leasing of Global Titles to Combat Spoofing

Transcending Baselines: Addressing Security and Resilience with Honesty

Nokia’s Networking Backbone Strengthens ResetData AI Factory

Apple Tackles Two Zero-Day Vulnerabilities in iPhone and Mac Devices

Apple has rolled out a series of software updates aimed at countering two recently discovered zero-day vulnerabilities that might already be in use.

These vulnerabilities, CVE-2024-44308 and CVE-2024-44309, were uncovered by Clément Lecigne and Benoît Sevens from the Google Threat Analysis Group. They impact several platforms: iOS and iPadOS versions 17.7.2 and 18.1.1, macOS Sequoia 15.1.1, visionOS 2.1.1, and Safari 18.1.1.

CVE-2024-44308 affects the JavaScriptCore framework. It allows a hacker to execute arbitrary code if they can trick a device into processing harmful web content. Apple reports that this vulnerability has already been exploited on Intel-based Macs.

CVE-2024-44309 pertains to WebKit, the open-source engine behind Apple’s browser and affects how it handles cookies. This flaw could enable an attacker to execute a cross-site scripting (XSS) attack, where they inject malicious data into trustworthy site content read by the victim’s browser. This can lead to serious consequences, including stealing session cookies and impersonating users or spreading malware. There are also reports of this vulnerability being exploited on Intel Macs.

Michael Covington from Jamf emphasizes the urgency for users to patch these vulnerabilities swiftly. He points out that the updates strengthen checks against malicious activities and improve data management during browsing.

This isn’t the first time WebKit has faced issues this year. Back in January, Apple patched another significant vulnerability, CVE-2024-23222, which also made it onto the U.S. Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities list. That one was a type confusion vulnerability leading to arbitrary code execution.

Details about these vulnerabilities remain limited. However, the involvement of Google’s security teams, known for addressing threats from predatory spyware vendors like the now-infamous NSO Group, suggests these flaws could attract attention from malicious actors.

Apple has been proactive in addressing threats. Earlier this year, they alerted iOS users in over 90 countries about a spyware attack that posed a significant risk.

To ensure safety, Apple users who don’t have automatic updates turned on can find and install these patches by going to Settings, then General, and selecting Software Update.