Apple has rolled out critical security updates to tackle two zero-day vulnerabilities that are reportedly being actively exploited in the wild. These updates apply to iOS, iPadOS, macOS, visionOS, and Safari.
Here’s a breakdown of the vulnerabilities:
- What is it? A flaw in JavaScriptCore could allow attackers to execute arbitrary code by tricking users into processing malicious web content.
- What is it? A cookie management issue in WebKit could lead to cross-site scripting (XSS) attacks when processing harmful web content.
How Apple Fixed It – CVE-2024-44308 and CVE-2024-44309
Apple resolved these vulnerabilities with enhanced validation for JavaScriptCore (CVE-2024-44308) and improved state management for WebKit’s cookie handling (CVE-2024-44309).
While Apple hasn’t disclosed specific exploitation details, they’ve confirmed that these vulnerabilities may have been actively exploited on Intel-based Mac systems.
Who Discovered the Flaws?
The vulnerabilities were uncovered by Clément Lecigne and Benoît Sevens from Google’s Threat Analysis Group (TAG). This points to a high likelihood that these flaws were leveraged in targeted attacks, possibly tied to government-backed or mercenary spyware campaigns.
Devices and Systems That Need Updating
Here’s a quick look at which devices and operating systems require updates:
- iOS 18.1.1 & iPadOS 18.1.1
- iPhone XS and later
- iPad Pro 13-inch, iPad Pro 12.9-inch (3rd gen and later), iPad Pro 11-inch (1st gen and later)
- iPad Air (3rd gen and later), iPad mini (5th gen and later)
- iOS 17.7.2 & iPadOS 17.7.2
- iPhone XS and later
- iPad Pro 13-inch, iPad Pro 12.9-inch (2nd gen and later), iPad Pro 10.5-inch
- iPad Air (3rd gen and later), iPad mini (5th gen and later)
- macOS Sequoia 15.1.1
- All Macs running macOS Sequoia
- visionOS 2.1.1
- Apple Vision Pro
- Safari 18.1.1
- Macs running macOS Ventura and macOS Sonoma
Why This Matters
These two vulnerabilities add to the four zero-day flaws Apple has addressed this year, including one demonstrated at the Pwn2Own Vancouver hacking competition. This shows that even tech giants like Apple are continually battling sophisticated threats.
What Should You Do?
To protect yourself, update your devices immediately to the latest versions. These updates aren’t just routine—they’re essential for staying secure in an increasingly risky digital landscape.
At Bluefire Redteam, we’re committed to keeping you informed about critical cybersecurity developments.