Apple addresses two iPhone, Mac zero-days – Step-by-Step

Explore the Latest in Trends & Innovations: Apple addresses two iPhone, Mac zero-days Hey there! Check out some must-see info about Apple addresses two iPhone, Mac zero-days. Stay updated with the cutting-edge trends and innovations …

Apple addresses two iPhone, Mac zero-days – Step-by-Step

Explore the Latest in Trends & Innovations: Apple addresses two iPhone, Mac zero-days

Hey there! Check out some must-see info about Apple addresses two iPhone, Mac zero-days. Stay updated with the cutting-edge trends and innovations that are shaping our world.

Introduction

Introduction: This guide will walk you through the steps of [guide_topic] with easy-to-follow instructions.

Apple has dropped a series of software updates across its various product lines as it aims to ward off the impact of two newly discovered zero-days, both of which may have already been exploited in the wild.

The fixes for CVE-2024-44308 and CVE-2024-44309 – both attributed to Clément Lecigne and Benoît Sevens of the Google Threat Analysis Group – affect devices running iOS and iPadOS 17.7.2 and 18.1.1, macOS Sequoia 15.1.1, and visionOS 2.1.1. They are also present in Safari 18.1.1.

CVE-2024-44308 affects the JavaScriptCore framework and enables a threat actor to achieve arbitrary code execution if the target device can be made to process maliciously crafted web content. According to Apple, there are reports that it has already been actively exploited on Intel-based Mac systems.

CVE-2024-44309 affects the open source WebKit browser engine used extensively within the Apple ecosystem, and is described as a cookie management issue that enabled a threat actor to conduct a cross-site scripting (XSS) attack.

In an XSS attack, a threat actor is able to insert malicious data into content from trusted websites, which is then included with content delivered to the victim’s browser. They can be used to achieve a number of goals, including session cookie theft enabling the threat actor to masquerade as the victim, but are also used to spread malware and steal credentials.

Again, there are reports of in-the-wild exploitation of CVE-2024-44309 against Intel-based Macs.

WebKit at risk

Michael Covington, vice-president of strategy at Jamf, a device management company specialising in Apple products, said that it is very important for defenders to promptly address vulnerabilities in WebKit, given the framework’s criticality to the Safari web browser.

“The fixes provided by Apple introduce stronger checks to detect and prevent malicious activity, as well as improve how devices manage and track data during web browsing. With attackers potentially exploiting both vulnerabilities, it is critical that users and mobile-first organisations apply the latest patches as soon as they are able,” said Covington.

CVE-2024-44309 is not the first issue to affect WebKit identified this year. In late January Apple patched CVE-2024-23222 – which also made it into the US’ Cybersecurity and Infrastructure Security Agency’s (CISA’s) Known Exploited Vulnerabilities (KEV) catalogue.

Also exploited as a zero-day, CVE-2024-23222 was a type confusion flaw leading to arbitrary code execution on the vulnerable device

As ever, Apple has provided scant detail on either of these vulnerabilities or how they have been taken advantage of. However, their identification by Google teams that have previously worked on vulnerabilities exploited by predatory commercial spyware vendors – such as disgraced Israeli firm NSO – may indicate the sort of people to whom these new flaws may be of interest.

Apple remains alert to such issues, and notably issued a security alert to iOS users in over 90 countries back in April, after detecting that they were being targeted by a mercenary spyware attack that was remotely compromising their devices.

As usual, Apple users who have not enabled automated updates can download the patches by navigating to their device’s Settings menu, then to General, then to Software Update.

Key Takeaways

  • Guess what? This was brought to you by on 2024-11-20 16:28:00 from the feed.
  • Check out an image: Apple addresses two iPhone, Mac zero-days
  • Want to know more? at www.computerweekly.com

Key Insights

  • Fascinating detail #1 about this innovation.
  • Fascinating detail #2 that you need to know.
  • Incredible insight #3 that will blow your mind.

Looking for more? Don’t miss out on the latest in .


Stay Updated

Stay Updated: Follow us for more exciting updates and trends! #CoolTech

Want to stay ahead of the curve? Subscribe to our newsletter for more trending news and innovative ideas!

Join our discussion: Share your thoughts on the latest trends and innovations!

Leave a Comment

Index