Apple fixes 2 zero-days exploited to breach macOS systems (CVE-2024-44309, CVE-2024-44308)

Apple has released emergency security updates for macOS Sequoia that fix two zero-day vulnerabilities (CVE-2024-44309, CVE-2024-44308) that “may have been actively exploited on Intel-based Mac systems”.

CVE-2024-44309 CVE-2024-44308

About CVE-2024-44309 and CVE-2024-44308

CVE-2024-44309 affects WebKit, the browser engine used in the Safari web browser and all iOS and iPadOS web browsers, and can be triggered when it’s made to process maliciously crafted web content. It can enable a cross site scripting (XSS) attack.

CVE-2024-44308 affects JavaScriptCore – the built-in JavaScript engine for WebKit – and can likewise be exploited via maliciously crafted web content. It can lead to arbitrary code execution.

Both vulnerabilities have been reported by security researchers Clément Lecigne and Benoît Sevens of Google’s Threat Analysis Group (TAG), which aims to protect users from advanced persistent threats such as state-sponsored malware and commercial spyware attacks, as well as financially motivated attacks.

As per usual, Apple didn’t share details about the attacks in which patched vulnerabilities are exploited. Google TAG usually disclosed such details months after the patches are provided.

Still, it’s safe to say that the spotted attacks aren’t indiscriminately targeting all Mac users, but are leveraging the flaws for targeted attacks.

Update ASAP!

Apple has transitioned to using Intel processors on Macs in June 2006 and stopped shipping them altogether in June 2023, after starting using its own silicon in 2020.

The two vulnerabilities “may have been actively exploited on Intel-based Mac systems”, but it’s unclear at this time whether that means that they can’t be exploited on Apple-based Macs.

In any case, all MacOS Sequoia users should update their systems as soon as possible.

While Apple’s mobile devices (iPhones, iPads) and its mixed-reality headset (Vision Pro) don’t run on Intel silicon, CVE-2024-44309 and CVE-2024-44308 have also been fixed in Safari, visionsOS, iOS and iPadOS 18 and 17, to protect iPhone, iPad, Vision Pro and Mac users that use older macOS branches.

UPDATE (November 27, 2024, 01:20 p.m. ET):

The two vulnerabilities have also been fixed in WPE, the official WebKit port for Linux-based embedded devices, and WebKitGTK, a WebKit port for projects requiring web integration.

OPIS OPIS

OPIS

Don't miss