CVE-2024-44308 and CVE-2024-44309: Apple Addresses Zero-Day Vulnerabilities

CVE-2024-44308 & CVE-2024-44309

Apple users are urged to update their devices immediately following the discovery of two critical zero-day vulnerabilities actively exploited in the wild. These vulnerabilities, CVE-2024-44308 and CVE-2024-44309, leave millions of iPhones, iPads, Macs, and even the cutting-edge Vision Pro headset open to attack.

Both zero-day vulnerabilities, reported by Clément Lecigne and Benoît Sevens of Google’s Threat Analysis Group (TAG), were found in JavaScriptCore and WebKit, integral components of Apple’s web rendering framework. These vulnerabilities have been associated with the potential for arbitrary code execution and cross-site scripting (XSS) attacks:

  • CVE-2024-44308: Exploitation could allow attackers to execute arbitrary code by tricking victims into processing maliciously crafted web content. Apple addressed this vulnerability by implementing improved checks within JavaScriptCore.
  • CVE-2024-44309: This vulnerability could enable cross-site scripting attacks through crafted web content, potentially compromising user cookies and session data. Apple enhanced cookie state management to mitigate this threat.

While Apple has not disclosed specific details about the exploitation, it acknowledged that these flaws may have been actively used in attacks against Intel-based Mac systems.

Apple is aware of a report that this issue may have been actively exploited on Intel-based Mac systems,” the company said in an advisory issued on Tuesday.

The vulnerabilities have a broad impact, with the following devices listed as vulnerable:

  • iPhone Models: iPhone XS and later
  • iPads:
    • iPad Pro 13-inch and iPad Pro 12.9-inch (3rd generation and later)
    • iPad Pro 11-inch (1st generation and later)
    • iPad Air (3rd generation and later)
    • iPad (7th generation and later)
    • iPad mini (5th generation and later)
  • Macs: Devices running macOS Sequoia
  • Apple Vision Pro: The cutting-edge mixed-reality device

To mitigate these vulnerabilities, Apple has released security updates for the following operating systems:

  • iOS 17.7.2 and iPadOS 17.7.2
  • iOS 18.1.1 and iPadOS 18.1.1
  • macOS Sequoia 15.1.1
  • visionOS 2.1.1

Users are urged to update their devices immediately to avoid potential exploitation.

Related Posts: