Apple fixes two zero-days used in attacks on Intel-based Macs
Apple released emergency security updates to fix two zero-day vulnerabilities that were exploited in attacks on Intel-based Mac systems.
"Apple is aware of a report that this issue may have been exploited," the company said in an advisory issued on Tuesday.
The two bugs were found in the macOS Sequoia JavaScriptCore (CVE-2024-44308) and WebKit (CVE-2024-44309) components of macOS.
The JavaScriptCore CVE-2024-44308 flaw allows attackers to achieve remote code execution through maliciously crafted web content. The other flaw, CVE-2024-44309, allows cross-site scripting (CSS) attacks.
The company says it addressed the security flaws in macOS Sequoia 15.1.1.
As the same components are found in other Apple operating systems, it was also fixed in iOS 17.7.2 and iPadOS 17.7.2, iOS 18.1.1 and iPadOS 18.1.1, and visionOS 2.1.1.
While Apple says both flaws were discovered by Clément Lecigne and Benoît Sevens of Google's Threat Analysis Group, the company has not provided further details on how they were exploited.
BleepingComputer contacted Google to learn how the flaws were exploited but was told that they have nothing more to share at this time.
With these two vulnerabilities, Apple has fixed six zero-days so far in 2024, with the first in January, two in March, and the fourth in May.
This number is significantly better than last year when Apple fixed a total of 20 zero-day flaws exploited in the wild, including:
- two zero-days (CVE-2023-42916 and CVE-2023-42917) in November
- two zero-days (CVE-2023-42824 and CVE-2023-5217) in October
- five zero-days (CVE-2023-41061, CVE-2023-41064, CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993) in September
- two zero-days (CVE-2023-37450 and CVE-2023-38606) in July
- three zero-days (CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439) in June
- three more zero-days (CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373) in May
- two zero-days (CVE-2023-28206 and CVE-2023-28205) in April
- and another WebKit zero-day (CVE-2023-23529) in February
source: BleepingComputer
Free security scan for your website
Top News:
Attackers are exploiting 2 zero-days in Palo Alto Networks firewalls (CVE-2024-0012, CVE-2024-9474)
November 18, 2024CWE top 25 most dangerous software weaknesses
November 21, 2024Chinese APT Gelsemium Targets Linux Systems with New WolfsBane Backdoor
November 21, 2024Hackers now use AppDomain Injection to drop CobaltStrike beacons
August 24, 2024