Apple’s latest security updates for iOS, macOS, Safari, visionOS, and iPadOS contained brief but critical disclosures of two actively exploited vulnerabilities.
The tech giant said Clément Lecigne and Benoît Sevens of Google’s Threat Analysis Group discovered the vulnerabilities. NIST lists the vulnerabilities as CVE-2024-44308 and CVE-2024-44309.
What are the vulnerabilities Apple patched?
Apple didn’t disclose much information about the exploitation or what attackers might have done using these vulnerabilities. However, the Threat Analysis Group works specifically on “government-backed hacking and attacks against Google and our users,” so it’s possible these vulnerabilities were used in well-funded attacks against specific targets.
SEE: Want to accept Apple Pay at your business? See how with our guide.
With CVE-2024-44308, attackers could create malicious web content, leading to arbitrary code execution. Apple detected this exploit possibly in use on Intel-based Mac systems — unlike those systems using Apple’s own M chips, which have been the standard since 2023. Apple put improved checks in place to prevent this issue.
CVE-2024-44309 has been exploited similarly and applies to Intel-based Macs, but the fix was different. Apple said its team addressed a cookie management issue by improving state management.
The affected operating systems are:
- Safari 18.1.1
- iOS 17.7.2
- iPadOS 17.7.2
- macOS Sequoia 15.1.1
- iOS 18.1.1
- iPadOS 18.1.1
- visionOS 2.1.1
Apple faced four zero-day vulnerabilities earlier in 2024
In addition to the latest exploitations, Apple disclosed four zero-day vulnerabilities this year, all of which it patched:
- CVE-2024-27834, a bypass around pointer authentication.
- CVE-2024-23222, an arbitrary code execution vulnerability.
- CVE-2024-23225, a memory corruption problem.
- CVE-2024-23296, another memory corruption problem.
Apple devices have a reputation for being secure against viruses and malware, in part because of Apple’s tight hold over its App Store ecosystem. However, that doesn’t mean these devices are impervious to all attacks. According to multiple reports, threat actors are increasing efforts to breach macOS, especially with infostealers and trojans.
In April, Apple notified select users that their iPhones had been compromised by “a mercenary spyware attack,” in a case of threat actors targeting specific people. Other vulnerabilities may arise in hardware, such as the GoFetch vulnerability that popped up in Apple’s M-series chips early this year.
Keep up cybersecurity best practices
Zero-day disclosures are good opportunities for IT teams to remind users to keep up with operating system updates and to follow company security guidelines. Strong passwords or two-factor authentication can make a big difference. Many cybersecurity best practices apply across operating systems, including Apple’s.
Read the full article here