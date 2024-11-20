Apple has dropped a series of software updates across its various product lines as it aims to ward off the impact of two newly discovered zero-days, both of which may have already been exploited in the wild.

The fixes for CVE-2024-44308 and CVE-2024-44309 – both attributed to Clément Lecigne and Benoît Sevens of the Google Threat Analysis Group – affect devices running iOS and iPadOS 17.7.2 and 18.1.1, macOS Sequoia 15.1.1, and visionOS 2.1.1. They are also present in Safari 18.1.1.

CVE-2024-44308 affects the JavaScriptCore framework and enables a threat actor to achieve arbitrary code execution if the target device can be made to process maliciously crafted web content. According to Apple, there are reports that it has already been actively exploited on Intel-based Mac systems.

CVE-2024-44309 affects the open source WebKit browser engine used extensively within the Apple ecosystem, and is described as a cookie management issue that enabled a threat actor to conduct a cross-site scripting (XSS) attack.

In an XSS attack, a threat actor is able to insert malicious data into content from trusted websites, which is then included with content delivered to the victim’s browser. They can be used to achieve a number of goals, including session cookie theft enabling the threat actor to masquerade as the victim, but are also used to spread malware and steal credentials.

Again, there are reports of in-the-wild exploitation of CVE-2024-44309 against Intel-based Macs.