Pierluigi Paganini November 20, 2024

Apple released security updates for iOS, iPadOS, macOS, visionOS, and Safari browser to address two actively exploited zero-day flaws.

Apple released security updates for two zero-day vulnerabilities, tracked as CVE-2024-44309 and CVE-2024-44308, in iOS, iPadOS, macOS, visionOS, and Safari web browser, which are actively exploited in the wild.

The vulnerability CVE-2024-44309 is a cookie management issue in WebKit that could lead to a cross-site scripting (XSS) attack when processing malicious web content.

“Processing maliciously crafted web content may lead to a cross site scripting attack. Apple is aware of a report that this issue may have been actively exploited on Intel-based Mac systems.” reads the advisory.

Apple addressed the cookie management issue with improved state management.

The vulnerability CVE-2024-44308 impacts the JavaScriptCore and could lead to arbitrary code execution when processing malicious web content.

“Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited on Intel-based Mac systems.” reads the advisory.

The company fixed the issue with improved checks.

The IT giant did not disclose details about the attack or attribute it to specific threat actors.

Clément Lecigne and Benoît Sevens of Google’s Threat Analysis Group discovered both vulnerabilities.

Google’s Threat Analysis Group (TAG) focuses on protecting users by monitoring and countering advanced persistent threats (APTs) and cyber-espionage activities, often involving commercial spyware. This suggests that the two flaws may be part of an exploit employed by an advanced threat actor.

The company released the following updates to address the two vulnerabilities:

• iOS 18.1.1 and iPadOS 18.1.1 – iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later.
• iOS 17.7.2 and iPadOS 17.7.2 – iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later.
• Safari 18.1.1 – for system running macOS Ventura and macOS Sonoma
• macOS Sequoia 15.1.1 
• visionOS 2.1.1

Users should promptly update their devices to the latest versions.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, zero-day vulnerabilities)