Apple releases a security update on Nov 19, 2024, addressing two zero-day vulnerabilities in iOS, iPadOS, macOS, visionOS, and Safari to protect against active threats.

Apple has released a new security update to address two zero-day vulnerabilities that have been actively exploited in the wild. The update, released on November 19, 2024, affects iOS, iPadOS, macOS, visionOS, and the Safari browser and is part of Apple’s ongoing efforts to protect its users from increasingly sophisticated cyber threats.

The Apple vulnerabilities, identified in JavaScriptCore and WebKit, are serious, as they could allow maliciously crafted web content to execute arbitrary code or carry out cross-site scripting (XSS) attacks.

Apple was alerted to the potential for active exploitation of these flaws, particularly on Intel-based Mac systems, which prompted the urgent release of Apple Security Updates and Rapid Security Responses to address the issues immediately.

Details of the Apple Security Update

The updates address two primary Apple vulnerabilities in the WebKit and JavaScriptCore components, both of which are essential for web content processing in Apple devices.

These flaws could allow attackers to run arbitrary code or inject harmful scripts into web pages viewed through Apple’s browser technologies. If exploited, these vulnerabilities could compromise the security and privacy of users, putting them at risk.

• CVE-2024-44308, identified by security researchers Clément Lecigne and Benoît Sevens of Google’s Threat Analysis Group, is the most critical of the two issues. It relates to a problem in WebKit, Apple’s open-source web browser engine, which could allow malicious web content to lead to arbitrary code execution on affected devices.
• A second vulnerability in WebKit concerns cookie management, which could enable cross-site scripting attacks. The flaw could allow an attacker to manipulate cookies, potentially stealing sensitive user data or performing malicious actions under the guise of trusted websites.

These issues have been addressed with patches designed to improve the state management and verification processes in both JavaScriptCore and WebKit, blocking any attempts to exploit these vulnerabilities.

Apple’s Security Response

In keeping with its policy of prioritizing user safety, Apple did not confirm the details of these vulnerabilities until it had thoroughly investigated the issues and deployed updates. The company typically follows a strict protocol when it comes to security matters, releasing fixes only after extensive testing to ensure that the vulnerabilities are adequately addressed.

As part of the release process, Apple has rolled out Apple Security Updates for a range of devices, including the iPhone, iPad, Mac, and Apple Vision Pro. The following updates were released on November 19, 2024:

• Safari 18.1.1 for macOS Ventura and macOS Sonoma: This update fixes the issue in JavaScriptCore and WebKit, ensuring that maliciously crafted web content can no longer execute arbitrary code on affected systems.
• visionOS 2.1.1 for Apple Vision Pro: This update addresses the same vulnerabilities affecting macOS devices, ensuring the security of Apple’s newest AR headset.
• iOS 18.1.1 and iPadOS 18.1.1: These updates apply to a wide range of devices, including the iPhone XS and later, iPad Pro 13-inch, iPad Air 3rd generation, and newer models.
• iOS 17.7.2 and iPadOS 17.7.2: This update also addresses the critical vulnerabilities for earlier versions of iPhones and iPads, extending the security patch to models as old as the iPhone XS and iPad 6th generation.
• macOS Sequoia 15.1.1: This security patch was issued for the latest macOS Sequoia and addresses the vulnerabilities in JavaScriptCore and WebKit.

Impacts and Risks

The vulnerabilities targeted by these updates are serious, as they could allow attackers to exploit unpatched devices in order to take control of systems, steal data, or disrupt operations. Apple’s proactive release of security updates and Rapid Security Responses is aimed at mitigating these risks by providing users with timely protection against active exploitation. The company has stressed that these vulnerabilities were actively being used in the wild, making it crucial for users to install the updates as soon as possible.

Apple’s commitment to Apple vulnerability updates and security releases underscores the company’s ongoing effort to secure its products against evolving threats. The rapid rollout of patches is part of Apple’s broader strategy to ensure that its devices remain secure, even as cybercriminals develop increasingly sophisticated attack techniques.

How Users Can Stay Protected

To stay protected, users are encouraged to install the latest updates as soon as they are available. These updates are critical not only for closing the immediate vulnerabilities but also for ensuring long-term device security. Apple has made it easy to check for updates by navigating to the Settings app on iOS or iPadOS devices or through the System Preferences or Software Update sections on macOS.

Apple’s detailed security documentation, available on its website, provides insights into each security update and the specific vulnerabilities addressed. The company also advises users to be cautious about visiting suspicious websites or downloading content from untrusted sources, as these are common vectors for exploitation.

Related