Diamond Member Pelican Press 0 Posted Wednesday at 05:52 PM Diamond Member Share Posted Wednesday at 05:52 PM This is the hidden content, please Sign In or Sign Up Apple addresses two iPhone, Mac zero-days Apple has dropped a series of software updates across its various product lines as it aims to ward off the impact of two newly discovered zero-days, both of which may have already been exploited in the wild. The fixes for CVE-2024-44308 and CVE-2024-44309 – both attributed to Clément Lecigne and Benoît Sevens of the This is the hidden content, please Sign In or Sign Up Threat Analysis Group – affect devices running iOS and iPadOS This is the hidden content, please Sign In or Sign Up and This is the hidden content, please Sign In or Sign Up , This is the hidden content, please Sign In or Sign Up 1, and This is the hidden content, please Sign In or Sign Up . They are also present in This is the hidden content, please Sign In or Sign Up . CVE-2024-44308 affects the JavaScriptCore framework and enables a threat actor to achieve arbitrary code ********** if the target device can be made to process maliciously crafted web content. According to Apple, there are reports that it has already been actively exploited on Intel-based Mac systems. CVE-2024-44309 affects the open source This is the hidden content, please Sign In or Sign Up browser engine used extensively within the Apple ecosystem, and is described as a cookie management issue that enabled a threat actor to conduct a This is the hidden content, please Sign In or Sign Up (XSS) *******. In an XSS *******, a threat actor is able to insert malicious data into content from trusted websites, which is then included with content delivered to the victim’s browser. They can be used to achieve a number of goals, including session cookie theft enabling the threat actor to masquerade as the victim, but are also used to spread malware and steal credentials. Again, there are reports of in-the-wild exploitation of CVE-2024-44309 against Intel-based Macs. WebKit at risk Michael Covington, vice-president of strategy at This is the hidden content, please Sign In or Sign Up , a device management company specialising in Apple products, said that it is very important for defenders to promptly address vulnerabilities in WebKit, given the framework’s criticality to the Safari web browser. “The fixes provided by Apple introduce stronger checks to detect and prevent malicious activity, as well as improve how devices manage and track data during web browsing. With attackers potentially exploiting both vulnerabilities, it is critical that users and mobile-first organisations apply the latest patches as soon as they are able,” said Covington. CVE-2024-44309 is not the first issue to affect WebKit identified this year. In late January Apple patched CVE-2024-23222 – which also made it into the US’ Cybersecurity and Infrastructure Security Agency’s (CISA’s) This is the hidden content, please Sign In or Sign Up (KEV) catalogue. Also exploited as a zero-day, CVE-2024-23222 was a type confusion flaw leading to arbitrary code ********** on the vulnerable device As ever, Apple has provided scant detail on either of these vulnerabilities or how they have been taken advantage of. However, their identification by This is the hidden content, please Sign In or Sign Up teams that have previously worked on vulnerabilities This is the hidden content, please Sign In or Sign Up – such as disgraced ******** firm NSO – may indicate the sort of people to whom these new flaws may be of interest. Apple ******** alert to such issues, and notably issued a security alert to iOS users in over 90 countries back in April, after detecting that they were being targeted by a mercenary spyware ******* that was remotely compromising their devices. As usual, Apple users who have not enabled automated updates can download the patches by navigating to their device’s Settings menu, then to General, then to Software Update. This is the hidden content, please Sign In or Sign Up #Apple #addresses #iPhone #Mac #zerodays This is the hidden content, please Sign In or Sign Up This is the hidden content, please Sign In or Sign Up Link to comment https://hopzone.eu/forums/topic/171927-apple-addresses-two-iphone-mac-zero-days/ Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now