Apple Fixes Two Actively Exploited Zero-Day Flaws Across its Platforms

Apple has released patches addressing two zero-day vulnerabilities that attackers were reportedly exploiting in the wild. These issues affect various Apple products, including macOS, iOS, iPadOS, Safari, and visionOS. The flaws, tracked as CVE-2024-44308 and CVE-2024-44309, were discovered and reported by Clément Lecigne and Benoît Sevens of Google's Threat Analysis Group (TAG).

Two zero-day flaws

The vulnerabilities reside in WebKit and JavaScriptCore, two critical components for rendering and executing web content across Apple's ecosystem. These flaws could allow attackers to execute arbitrary code or conduct cross-site scripting (XSS) attacks by tricking victims into interacting with maliciously crafted web content.

The two flaws are tracked under CVE-2024-44308 (arbitrary code execution in JavaScriptCore) and CVE-2024-44309 (cross-site scripting via improper cookie state management in WebKit).

Apple confirmed that these vulnerabilities were actively exploited on Intel-based Mac systems, though the company has not disclosed specific details about the exploitation methods or the attack vectors.

Impact and exploitation

The vulnerabilities impact a wide range of Apple devices and operating systems:

• macOS Sequoia (15.1.1)
• iOS 18.1.1 and iPadOS 18.1.1
• iOS 17.7.2 and iPadOS 17.7.2
• visionOS 2.1.1 (used in Apple Vision Pro)
• Safari 18.1.1 on macOS Ventura and macOS Sonoma

These systems are foundational to Apple's product ecosystem, supporting millions of users in personal, enterprise, and professional settings.

Although no technical details were disclosed, the nature of the vulnerabilities suggests that attackers could use phishing campaigns or maliciously embedded web content to deliver exploits. The focus on WebKit and JavaScriptCore implies these flaws might be leveraged via compromised websites or targeted advertisements to execute code remotely or steal session data.

Applying the security updates

To protect against these vulnerabilities, users should update their devices as soon as possible.

For iOS/iPadOS:

1. Open Settings > General > Software Update.
2. Download and install the latest update (iOS 17.7.2, 18.1.1, or corresponding iPadOS version).

For macOS:

1. Open System Preferences > Software Update (or System Settings > General > Software Update on newer versions).
2. Download and apply the update for macOS Sequoia 15.1.1.

Keeping Safari updated is also crucial, as it relies on WebKit. Safari updates can be found in the App Store under the Updates tab for macOS.

Given the active exploitation of these vulnerabilities, Apple users should prioritize applying the updates without delay.