Pierluigi Paganini November 20, 2024
Apple released security updates for two zero-day vulnerabilities, tracked as CVE-2024-44309 and CVE-2024-44308, in iOS, iPadOS, macOS, visionOS, and Safari web browser, which are actively exploited in the wild.
The vulnerability CVE-2024-44309 is a cookie management issue in WebKit that could lead to a cross-site scripting (XSS) attack when processing malicious web content.
“Processing maliciously crafted web content may lead to a cross site scripting attack. Apple is aware of a report that this issue may have been actively exploited on Intel-based Mac systems.” reads the advisory.
Apple addressed the cookie management issue with improved state management.
The vulnerability CVE-2024-44308 impacts the JavaScriptCore and could lead to arbitrary code execution when processing malicious web content.
“Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited on Intel-based Mac systems.” reads the advisory.
The company fixed the issue with improved checks.
The IT giant did not disclose details about the attack or attribute it to specific threat actors.
Clément Lecigne and Benoît Sevens of Google’s Threat Analysis Group discovered both vulnerabilities.
Google’s Threat Analysis Group (TAG) focuses on protecting users by monitoring and countering advanced persistent threats (APTs) and cyber-espionage activities, often involving commercial spyware. This suggests that the two flaws may be part of an exploit employed by an advanced threat actor.
The company released the following updates to address the two vulnerabilities:
Users should promptly update their devices to the latest versions.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, zero-day vulnerabilities)