Apple issued emergency patches to address two zero-day vulnerabilities that have been actively exploited in attacks targeting Intel-based Mac systems. The vulnerabilities, identified as CVE-2024-44308 and CVE-2024-44309, were found in the macOS Sequoia JavaScriptCore and WebKit components.
The flaws, which could allow attackers to execute malicious code and conduct cross-site scripting (CSS) attacks, have been fixed in the latest macOS Sequoia 15.1.1 update. To protect users of other Apple devices, security fixes have also been applied to iOS 17.7.2 and iPadOS 17.7.2, as well as iOS 18.1.1, iPadOS 18.1.1, and visionOS 2.1.1.
Apple attributed the discovery of the two vulnerabilities to Clément Lecigne and Benoît Sevens of Google’s threat analysis group. However, the company has not disclosed specific details on how these exploits have been exploited in real-world attacks. Efforts to obtain more information from Google yielded no additional information, reported BleepingComputer.
CVE-2024-44308 vulnerability in JavaScriptCore allows attackers to remotely execute code using maliciously crafted web content, while CVE-2024-44309 vulnerability in WebKit facilitates CSS. These components are an integral part of Apple’s operating systems, highlighting the widespread impact of the flaws.
“Apple is aware of a report that this issue may have been actively exploited on Intel-based Mac systems,” the Cupertino-based tech giant said.
The company has fixed six zero-day vulnerabilities so far this year with its latest patches. This represents a significant decrease from the 20 zero-day exploits resolved in 2023. Last year’s patches were spread out over several months, with September seeing the highest concentration of critical patches.
Oracle and Palo Alto Networks also take action against zero-day vulnerabilities
In parallel development, Oracle fixed a critical zero-day vulnerabilityCVE-2024-21287, in its Agile Product Lifecycle Management (PLM) platform. The flaw, which allows unauthenticated attackers to remotely exploit the system and access sensitive files, has been actively used in attacks. Oracle has strongly urged its Agile PLM customers to apply the latest updates to prevent further exploitation.
“This vulnerability is remotely exploitable without authentication, that is, it can be exploited over a network without the need for a username and password. If successfully exploited, this vulnerability can lead to file disclosure,” Oracle said.
The Oracle flaw was revealed by Joel Snape and Lutz Wolf of CrowdStrike.
Meanwhile, this week Palo Alto Networks also released updates fixing two actively exploited zero-day vulnerabilities in its next-generation firewalls. The flaws, identified as CVE-2024-0012 and CVE-2024-9474, pose significant risks to devices exposed to the Internet, as they are exploited via the PAN-OS management web interface.