Apple has rolled out a series of software updates aimed at countering two recently discovered zero-day vulnerabilities that might already be in use.
These vulnerabilities, CVE-2024-44308 and CVE-2024-44309, were uncovered by Clément Lecigne and Benoît Sevens from the Google Threat Analysis Group. They impact several platforms: iOS and iPadOS versions 17.7.2 and 18.1.1, macOS Sequoia 15.1.1, visionOS 2.1.1, and Safari 18.1.1.
CVE-2024-44308 affects the JavaScriptCore framework. It allows a hacker to execute arbitrary code if they can trick a device into processing harmful web content. Apple reports that this vulnerability has already been exploited on Intel-based Macs.
CVE-2024-44309 pertains to WebKit, the open-source engine behind Apple’s browser and affects how it handles cookies. This flaw could enable an attacker to execute a cross-site scripting (XSS) attack, where they inject malicious data into trustworthy site content read by the victim’s browser. This can lead to serious consequences, including stealing session cookies and impersonating users or spreading malware. There are also reports of this vulnerability being exploited on Intel Macs.
Michael Covington from Jamf emphasizes the urgency for users to patch these vulnerabilities swiftly. He points out that the updates strengthen checks against malicious activities and improve data management during browsing.
This isn’t the first time WebKit has faced issues this year. Back in January, Apple patched another significant vulnerability, CVE-2024-23222, which also made it onto the U.S. Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities list. That one was a type confusion vulnerability leading to arbitrary code execution.
Details about these vulnerabilities remain limited. However, the involvement of Google’s security teams, known for addressing threats from predatory spyware vendors like the now-infamous NSO Group, suggests these flaws could attract attention from malicious actors.
Apple has been proactive in addressing threats. Earlier this year, they alerted iOS users in over 90 countries about a spyware attack that posed a significant risk.
To ensure safety, Apple users who don’t have automatic updates turned on can find and install these patches by going to Settings, then General, and selecting Software Update.