Apple Security Updates: Fix Zero-Day Vulnerabilities in iOS, macOS, and Safari
Apple has recently rolled out security updates across its ecosystem, including iOS, iPadOS, macOS, visionOS, and Safari. These updates address two significant zero-day vulnerabilities actively exploited in the wild. Both flaws, if left unpatched, could expose users to security risks, including arbitrary code execution and cross-site scripting (XSS) attacks.
The Identified Vulnerabilities
-
CVE-2024-44308 (CVSS score: 8.8)
A serious flaw in JavaScriptCore that could allow malicious web content to execute arbitrary code. -
CVE-2024-44309 (CVSS score: 6.1)
A vulnerability in WebKit’s cookie management, potentially allowing attackers to carry out cross-site scripting (XSS) attacks through malicious content.
Apple’s Response to the Vulnerabilities
Apple responded swiftly by enhancing checks and improving state management to resolve these issues. While the exact nature of the exploitation is still unclear, it is acknowledged that the vulnerabilities may have been actively exploited, particularly on Intel-based Mac systems.
The flaws were reported by Clément Lecigne and Benoît Sevens from Google’s Threat Analysis Group (TAG), who indicated that these vulnerabilities were likely used in highly-targeted attacks, potentially involving government-backed or mercenary spyware.
Affected Devices and Available Updates
Apple has released the following security updates for the affected devices:
-
iOS 18.1.1 and iPadOS 18.1.1
Compatible Devices: iPhone XS and later, iPad Pro (13-inch and 12.9-inch 3rd generation and later), iPad Pro 11-inch (1st generation and later), iPad Air (3rd generation and later), iPad 7th generation and later, iPad mini 5th generation and later. -
iOS 17.7.2 and iPadOS 17.7.2
Compatible Devices: iPhone XS and later, iPad Pro (13-inch, 12.9-inch 2nd generation and later), iPad Pro 10.5-inch, iPad Pro 11-inch (1st generation and later), iPad Air (3rd generation and later), iPad 6th generation and later, iPad mini 5th generation and later. -
macOS Sequoia 15.1.1
Compatible Devices: Macs running macOS Sequoia. -
visionOS 2.1.1
Compatible Devices: Apple Vision Pro. -
Safari 18.1.1
Compatible Devices: Macs running macOS Ventura and macOS Sonoma.
Previous Zero-Day Patches from Apple
This is not the first time Apple has addressed zero-day flaws this year. In total, Apple has patched four zero-days in 2024, including one (CVE-2024-27834) demonstrated at the Pwn2Own Vancouver hacking competition. The other three were patched in January and March of 2024.
Update Your Devices for Maximum Protection
To ensure your devices are secure and protected from potential exploitation, it is highly recommended that users update to the latest versions as soon as possible. Keeping your devices updated is crucial to defending against cyber threats and maintaining a strong cybersecurity posture.
Follow @sritechnology for more.
