Apple fixes two zero-days used in attacks on Intel-based Macs
Apple released emergency security updates to fix two zero-day vulnerabilities that were exploited in attacks on Intel-based Mac systems.
"Apple is aware of a report that this issue may have been exploited," the company said in an advisory issued on Tuesday.
The two bugs were found in the macOS Sequoia JavaScriptCore (CVE-2024-44308) and WebKit (CVE-2024-44309) components of macOS.
The JavaScriptCore CVE-2024-44308 flaw allows attackers to achieve remote code execution through maliciously crafted web content. The other flaw, CVE-2024-44309, allows cross-site scripting (CSS) attacks.
The company says it addressed the security flaws in macOS Sequoia 15.1.1.
As the same components are found in other Apple operating systems, it was also fixed in iOS 17.7.2 and iPadOS 17.7.2, iOS 18.1.1 and iPadOS 18.1.1, and visionOS 2.1.1.
While Apple says both flaws were discovered by Clément Lecigne and Benoît Sevens of Google's Threat Analysis Group, the company has not provided further details on how they were exploited.
BleepingComputer contacted Google to learn how the flaws were exploited but was told that they have nothing more to share at this time.
With these two vulnerabilities, Apple has fixed six zero-days so far in 2024, with the first in January, two in March, and the fourth in May.
This number is significantly better than last year when Apple fixed a total of 20 zero-day flaws exploited in the wild, including:
- two zero-days (CVE-2023-42916 and CVE-2023-42917) in November
- two zero-days (CVE-2023-42824 and CVE-2023-5217) in October
- five zero-days (CVE-2023-41061, CVE-2023-41064, CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993) in September
- two zero-days (CVE-2023-37450 and CVE-2023-38606) in July
- three zero-days (CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439) in June
- three more zero-days (CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373) in May
- two zero-days (CVE-2023-28206 and CVE-2023-28205) in April
- and another WebKit zero-day (CVE-2023-23529) in February
source: BleepingComputer
Free security scan for your website
Top News:
CISA orders federal agencies to secure Microsoft 365 tenants
December 18, 2024Google Chrome uses AI to analyze pages in new scam detection feature
December 21, 2024Recorded Future CEO applauds "undesirable" designation by Russia
December 19, 2024