Share This Article
Apple has released security updates for iOS, iPadOS, macOS, visionOS, and its Safari web browser to address two zero-day flaws that have come under active exploitation in the wild.
The flaws are listed below –
- CVE-2024-44308 – A vulnerability in JavaScriptCore that could lead to arbitrary code execution when processing malicious web content.
- CVE-2024-44309 – A cookie management vulnerability in WebKit that could lead to a cross-site scripting (XSS) attack when processing malicious web content.
The iPhone maker said it addressed CVE-2024-44308 and CVE-2024-44309 with improved checks and improved state management, respectively.
Not much is known about the exact nature of the exploitation, but Apple has acknowledged that the pair of vulnerabilities “may have been actively exploited on Intel-based Mac systems.”
Clément Lecigne and Benoît Sevens of Google’s Threat Analysis Group (TAG) have been credited with discovering and reporting the two flaws, indicating that they were likely put to use as part of highly-targeted government-backed or mercenary spyware attacks.
