Introduction

Apple has issued emergency security updates to address two critical zero-day vulnerabilities in macOS Sequoia, identified as CVE-2024-44308 and CVE-2024-44309 [4] [7]. These vulnerabilities, which may have been actively exploited [1] [2] [3] [5] [6] [7] [8] [9], particularly affect Intel-based Mac systems and a wide range of Apple devices. The updates are crucial for enhancing security and preventing potential exploitation.

Description

Apple has released emergency security updates to address two critical zero-day vulnerabilities in macOS Sequoia, tracked as CVE-2024-44308 and CVE-2024-44309 [4] [7], which may have been actively exploited [1] [2] [3] [5] [6] [7] [8] [9], particularly on Intel-based Mac systems [1] [2] [3] [5] [6] [7] [8] [9]. These vulnerabilities affect millions of devices [10], including iPhones [4], iPads [1] [2] [4] [8] [10], Macs [1] [2] [3] [4] [5] [6] [7] [8] [9] [10], and the Vision Pro headset [10], and were reported by security researchers Clément Lecigne and Benoît Sevens from Google’s Threat Analysis Group [2] [10].

CVE-2024-44308 pertains to the JavaScriptCore framework—the built-in JavaScript engine for WebKit—and allows attackers to execute arbitrary code by tricking victims into processing maliciously crafted web content. Apple has addressed this vulnerability by implementing improved checks within JavaScriptCore to detect and prevent such exploits.

CVE-2024-44309 concerns the WebKit browser engine utilized in Safari and all iOS and iPadOS web browsers [2]. This vulnerability enables cross-site scripting (XSS) attacks through flawed cookie management [8], potentially compromising user cookies and session data [10]. Apple has mitigated this risk by enhancing cookie state management.

To address these vulnerabilities [5] [10], Apple has made updates available for various devices, including macOS Sequoia 15.1.1 [4] [6], iOS 18.1.1 [4] [5] [6], iPadOS 18.1.1 [2] [3] [4] [5] [6], visionOS 2.1.1 [3] [4] [5] [6] [7], and Safari 18.1.1 [3] [7], as well as older devices running iOS 17.7.2 and iPadOS 17.7.2. The affected devices include:

  • iPhone Models: iPhone XS and later
  • iPads: iPad Pro 13-inch and 12.9-inch (3rd generation and later) [10], iPad Pro 11-inch (1st generation and later) [10], iPad Air (3rd generation and later) [8] [10], iPad (7th generation and later) [8] [10], iPad mini (5th generation and later)
  • Macs: Devices running macOS Sequoia
  • Apple Vision Pro: The mixed-reality device

Users are strongly advised to update their systems immediately, as these updates enhance security measures and improve data management during web browsing, helping to prevent further exploitation. Michael Covington [4], VP of Strategy at Jamf [4], emphasized the importance of applying these updates promptly [4]. There has been a notable increase in Mac-based attacks this year [7], with cybersecurity firms observing a shift in focus from cybercriminals towards targeting macOS devices as their usage grows in organizations [7]. This year [6] [7], Apple has resolved six zero-day vulnerabilities [6], a significant decrease from the 20 addressed in 2023 [6]. The updates were released on November 19, 2024 [8], and are crucial for maintaining device security.

Conclusion

The release of these security updates by Apple is a critical step in safeguarding users against potential threats posed by the identified vulnerabilities. By addressing these issues, Apple not only enhances the security of its devices but also underscores the importance of timely updates in the face of evolving cyber threats. As the landscape of cyberattacks shifts, particularly towards macOS devices, it is imperative for users to remain vigilant and ensure their systems are up-to-date to protect against future vulnerabilities.

References

[1] https://www.zdnet.com/article/update-your-iphone-ipad-and-mac-now-to-patch-these-serious-zero-day-security-flaws/
[2] https://www.helpnetsecurity.com/2024/11/20/cve-2024-44309-cve-2024-44308/
[3] https://www.computerweekly.com/news/366615870/Apple-addresses-two-iPhone-Mac-zero-days
[4] https://www.infosecurity-magazine.com/news/apple-security-update/
[5] https://digital.nhs.uk/cyber-alerts/2024/cc-4579
[6] https://www.techmonitor.ai/technology/cybersecurity/apple-addresses-two-zero-day-exploits-with-emergency-security-updates
[7] https://www.techtarget.com/searchsecurity/news/366616152/Apple-warns-2-macOS-zero-day-vulnerabilities-under-attack
[8] https://support.apple.com/en-us/121752
[9] https://support.apple.com/en-mide/121753
[10] https://securityonline.info/cve-2024-44308-and-cve-2024-44309-apple-addresses-zero-day-vulnerabilities/