Apple Patches Two Zero-Day Vulnerabilities Exploited in Attacks
Apple has released emergency security updates to address two zero-day vulnerabilities exploited in attacks targeting systems with Intel processors.
The updates resolve flaws identified in macOS Sequoia’s JavaScriptCore and WebKit components:
- CVE-2024-44308 (CVSS score: 6.8) — A vulnerability in macOS Sequoia’s JavaScriptCore that could lead to remote code execution (RCE) when processing malicious web content.
- CVE-2024-44309 (CVSS score: 4.3) — A cookie management vulnerability in WebKit that could facilitate cross-site scripting (XSS) attacks when handling malicious web content.
Apple stated that it has addressed these vulnerabilities by enhancing validation processes and state management. However, specific details on exploitation methods have not yet been disclosed.
The flaws were rectified in the macOS Sequoia 15.1.1 update. The issues also affect other Apple operating systems that use similar components. Fixes have been included in iOS 17.7.2 and iPadOS 17.7.2, as well as iOS 18.1.1, iPadOS 18.1.1, and visionOS 2.1.1.
This year, Apple has patched six zero-day vulnerabilities. In comparison, 20 such flaws were addressed last year. Security experts strongly advise all users to update their devices to the latest operating system versions to safeguard against potential attacks.
In September, Apple launched a new operating system for computers—macOS 15, known as Sequoia. However, shortly after its release, reports surfaced of the system causing compatibility issues with certain cybersecurity products, including solutions from CrowdStrike and Microsoft, resulting in widespread Windows disruptions globally.
A security researcher operating under the pseudonym “Mickey Jin” introduced a novel attack vector capable of bypassing macOS protections. Speaking at the POC2024 conference, the researcher revealed a recently identified vulnerability that enables attackers to bypass macOS sandboxing and gain unrestricted access to files.
