Apple has issued critical security updates to patch two zero-day vulnerabilities in its software that have been actively exploited in the wild. These flaws, affecting iOS, iPadOS, macOS, visionOS, and Safari, pose serious risks, especially to Intel-based Mac systems
What is a zero-day attack?
A zero-day attack refers to an exploit that targets a vulnerability in software that is unknown to the software vendor or to the public. Because the vendor is unaware of the flaw, they have had “zero days” to address it before it is exploited by cybercriminals. These types of attacks are particularly dangerous as they can go undetected for extended periods, allowing attackers to take full advantage of the security gap.
Apple response to exploited vulnerabilities
Apple has identified and patched two critical vulnerabilities, CVE-2024-44308 and CVE-2024-44309, which are believed to have been exploited in targeted attacks. The first flaw, CVE-2024-44308, resides in the JavaScriptCore component and could allow an attacker to execute arbitrary code when malicious web content is processed. The second vulnerability, CVE-2024-44309, affects WebKit and could enable cross-site scripting (XSS) attacks when handling specific types of web content. These vulnerabilities, when combined, pose significant risks, particularly for those browsing the web on affected devices.
While details on the exact nature of the attacks remain limited, Apple has acknowledged that these vulnerabilities were actively exploited, with a focus on Intel-based Mac systems. This indicates that the flaws may have been leveraged by sophisticated cyber attackers, possibly linked to government-backed or mercenary spyware campaigns.
Apple’s fix and recommendations
In response to these security issues, Apple has rolled out updated versions for multiple operating systems and devices. The company stated that it has addressed CVE-2024-44308 with enhanced checks in JavaScriptCore and CVE-2024-44309 with improved state management in WebKit. These fixes should effectively mitigate the risk posed by these vulnerabilities.
Apple strongly recommends that users update their devices immediately to the latest software versions. The following updates are available:
- iOS 18.1.1 and iPadOS 18.1.1 for devices like iPhone XS and later, iPad Pro (various models), iPad Air (3rd generation and later), iPad 7th generation and later, and iPad mini 5th generation and later.
- iOS 17.7.2 and iPadOS 17.7.2 for older devices such as iPhone XS and later, iPad Pro (various models), and iPad mini 5th generation and later.
- macOS Sequoia 15.1.1 for Macs running macOS Sequoia.
- visionOS 2.1.1 for Apple Vision Pro.
- Safari 18.1.1 for Macs running macOS Ventura and macOS Sonoma.
This release is part of a broader effort by Apple to safeguard its ecosystem, addressing a total of four zero-day vulnerabilities this year, including the flaw demonstrated at the Pwn2Own Vancouver hacking competition. Given the severity of these vulnerabilities and the active exploitation targeting Intel-based Macs, users are urged to act promptly by updating their devices.
Follow FE Tech Bytes on Twitter, Instagram, LinkedIn, Facebook
