Apple has released crucial security updates across its range of platforms—iOS, iPadOS, macOS, visionOS, and Safari—addressing two zero-day vulnerabilities that have been actively exploited by cyber attackers.
The vulnerabilities, identified as CVE-2024-44308 and CVE-2024-44309, pose significant risks. The first flaw, CVE-2024-44308, resides in JavaScriptCore and could allow malicious web content to execute arbitrary code on affected devices. The second, CVE-2024-44309, involves cookie management in WebKit and could lead to cross-site scripting (XSS) attacks when processing harmful web data.
In response, Apple has strengthened its security measures by implementing improved checks and more robust state management. While specific details of the exploitation are still limited, Apple has confirmed that the vulnerabilities were likely being used to target Intel-based Mac systems.
The flaws were discovered by Clément Lecigne and Benoît Sevens of Google’s Threat Analysis Group (TAG), who suggest that these vulnerabilities may have been exploited in highly-targeted attacks, potentially involving government-backed or mercenary spyware operations.
Apple has made these updates available for a wide range of devices:
- iOS 18.1.1 and iPadOS 18.1.1: Compatible with iPhone XS and newer, iPad Pro models (13-inch, 12.9-inch 3rd gen and later, 11-inch 1st gen and later), iPad Air (3rd gen and later), iPad (7th gen and later), and iPad mini (5th gen and later).
- iOS 17.7.2 and iPadOS 17.7.2: Supports iPhone XS and newer, iPad Pro models (13-inch, 12.9-inch 2nd gen and later, 10.5-inch, 11-inch 1st gen and later), iPad Air (3rd gen and later), iPad (6th gen and later), and iPad mini (5th gen and later).
- macOS Sequoia 15.1.1: For Macs running macOS Sequoia.
- visionOS 2.1.1: For the Apple Vision Pro.
- Safari 18.1.1: For Macs running macOS Ventura and macOS Sonoma.
This latest patch brings the total number of zero-day flaws addressed by Apple this year to four, including a vulnerability that was demonstrated at the Pwn2Own Vancouver competition earlier in 2024. With ongoing security threats, users are urged to update their devices as soon as possible to safeguard against potential exploits.
Post comments (0)