Apple has rolled out security updates for iOS, iPadOS, macOS, visionOS, and Safari to address two zero-day vulnerabilities that are being actively exploited in the wild. The vulnerabilities, identified as CVE-2024-44308 and CVE-2024-44309, impact JavaScriptCore and WebKit, respectively.
CVE-2024-44308 is a flaw in JavaScriptCore that could allow arbitrary code execution when processing malicious web content, while CVE-2024-44309 is a cookie management vulnerability in WebKit that may lead to cross-site scripting (XSS) attacks. Apple has mitigated these issues through improved checks and better state management.
The company acknowledged that the vulnerabilities might have been actively exploited, particularly on Intel-based Mac systems. While specifics of the exploitation remain unclear, the discovery of these flaws by Clément Lecigne and Benoît Sevens from Google’s Threat Analysis Group (TAG) suggests they may have been part of targeted government-backed or mercenary spyware campaigns.
The updates are available for a range of devices and operating systems, including iOS 18.1.1, iPadOS 18.1.1, macOS Sequoia 15.1.1, visionOS 2.1.1, and Safari 18.1.1. These updates aim to protect users from potential threats associated with these vulnerabilities.
This marks the fourth zero-day patch Apple has released this year, with one of the earlier vulnerabilities demonstrated during the Pwn2Own Vancouver hacking competition and others addressed in January and March.