CISA Sounds the Alarm on Actively Exploited Apple and Oracle Zero-Days
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning about three actively exploited vulnerabilities affecting Apple and Oracle products. These flaws, added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, underscore the critical need for users to update their software immediately.
Two of the vulnerabilities reside in Apple’s WebKit browser engine, the foundation for Safari and other browsers on Apple devices.
- CVE-2024-44308 allows attackers to execute arbitrary code on Intel-based Macs by processing malicious web content.
- CVE-2024-44309 enables cross-site scripting (XSS) attacks, potentially allowing attackers to steal user data or hijack sessions.
While Apple has patched these vulnerabilities in its latest security updates for iOS, iPadOS, macOS, visionOS, and Safari, the fact that they were actively exploited before the patches were released raises serious concerns. Discovered by Google’s Threat Analysis Group (TAG), these vulnerabilities may have been used in highly targeted attacks by government-backed actors or mercenary spyware developers.
The third vulnerability, CVE-2024-21287, affects Oracle’s Agile Product Lifecycle Management (PLM) Framework. This flaw allows unauthenticated attackers to remotely leak sensitive information.
“This vulnerability is remotely exploitable without authentication, i.e., it may be exploited over a network without the need for a username and password,” Oracle stated in its advisory. “If successfully exploited, this vulnerability may result in file disclosure.”
While details about the exploitation of this vulnerability remain scarce, the potential for unauthorized access to sensitive files is a significant concern for organizations using Oracle’s Agile PLM Framework.
CISA Mandates Urgent Action
In response to the active exploitation of these vulnerabilities, CISA has mandated that Federal Civilian Executive Branch (FCEB) agencies apply the necessary patches by December 12, 2024.
Related Posts:
- Hackers target Oracle WebLogic Servers after the release of PoC code
- CISA Warns of Actively Exploited Apache, Microsoft, and Oracle Vulnerabilities
- Oracle release Critical Patch Update in several products
- CISA Adds 12 New Known Actively Exploited Vulnerabilities to its Catalog
- Oracle decided to extend Free Support Lifetime of Java 8
