Apple has rolled out emergency security updates to address two zero-day vulnerabilities actively exploited in attacks targeting Intel-based Mac systems. These vulnerabilities, found in macOS Sequoia components, posed critical risks, enabling attackers to remotely execute code and carry out cross-site scripting (XSS) attacks. Apple confirmed these vulnerabilities were exploited in real-world attacks but has not provided detailed incident reports.

What Are Zero-Day Vulnerabilities?
Zero-day vulnerabilities refer to security flaws that attackers discover and exploit before the software developer becomes aware of the issue or has time to release a fix. The term “zero-day” underscores the urgency, as developers have “zero days” to respond before the vulnerability is exploited in real-world attacks. These flaws are particularly dangerous because they allow attackers to infiltrate systems undetected.

Which Devices Are Affected?
Apple has released updates to resolve the vulnerabilities in the following versions:

  • macOS Sequoia 15.1.1
  • iOS and iPadOS 17.7.2 / 18.1.1
  • visionOS 2.1.1

Steps to Protect Yourself

  • Update Your Devices: Ensure all Apple devices are running the latest software updates to secure against these vulnerabilities.
  • Stay Alert: Regularly check for security updates and advisories from Apple and other reliable sources to safeguard your devices.

 

Details of the Vulnerabilities
JavaScriptCore Vulnerability (CVE-2024-44308)

  • impact: Allows attackers to execute malicious code remotely via specially crafted web content.
  • Affected Component: JavaScriptCore in macOS.

WebKit Vulnerability (CVE-2024-44309)

  • Impact: Enables cross-site scripting (XSS) attacks, allowing attackers to manipulate web content and potentially steal sensitive data.
  • Affected Component: WebKit.

Apple’s Security Record in 2024
With the release of these patches, Apple has addressed six zero-day vulnerabilities so far this year. This represents a notable improvement from 2023, when the company patched 20 zero-day flaws actively exploited in the wild.