Apple patches 2 zero-day vulnerabilities that were used to attack Intel-based Macs
Apple has released a critical update for macOS to patch a couple of zero-day vulnerabilities. The security patches are also available for iPhones and iPads.
Intel-based Macs targeted by security attacks
The macOS Sequoia 15.1.1 update includes 2 security fixes, both of which affect Safari. The vulnerabilities were discovered by two security experts who are part of Google's Threat Analysis Group, Clément Lecigne and Benoît Sevens. They reported their findings to Apple, which confirmed that it is aware that the issues may have been actively exploited by hackers. Details about the attacks have not been revealed.
According to the Security Releases page on the company's portal, the first of these patches are for an issue tracked under CVE-2024-44308, and is related to JavaScriptCore. A vulnerability allowed the processing of malicious web content, which could then lead to arbitrary code execution. The bug was addressed by improving checks.
The second vulnerability is tracked under CVE-2024-44309, and affects WebKit. This issue could allow malicious content on a web page to initiate a cross site scripting attack. Apple identified the bug as a cookie management issue, and patched it by improving the state management.
Now, the security fixes aren't exclusive to Intel-Macs, though the issues themselves were exploited on those machines. Since the exploits exist in Safari, other devices could also be vulnerable, which is why the patches are included for all Macs that support macOS Sequoia. The security updates have also been released for older Macs running on Ventura and Sonoma, but not as an operating system update. Instead, Apple has released an update for its browser to patch the vulnerabilities on older systems, it bumps the version number to Safari 18.1.1.
There are still quite a few Intel Macs that are supported by macOS Sequoia, these include the 2017 iMac Pro, 2018 Mac mini, 2018 MacBook Pro, 2019 iMac, 2019 MacBook Pro, 2020 iMac, 2020 MacBook Air, and the 2019 Mac Pro. Apple began switching to Apple Silicon chips in 2020, and began phasing out the Intel models. The Cupertino company stopped selling Intel Macs in 2023, the last devices of these to be discontinued was the Mac Pro.
Security fixes for iOS and iPadOS
These patches are also available through visionOS 2.1.1 update for Vision Pro, iOS 18.1.1 for iPhone XS and later, and iPadOS 18.1.1 for iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later. Users on iOS 17 and iPadOS 17 also get the security updates via iOS 17.7.2 (iPhone XS and later), and iPadOS 17.7.2 (all the above-mentioned iPads, plus the iPad 6th generation).
It is advised to update your Mac, iPhone, and iPad as soon as possible, to protect it from the vulnerabilities.
It might seem strange why these zero-day threats are not updated via the Rapid Security Responses system, it was after all designed to counter threats quickly with a small update, and a system reboot. Apple used the RSR system just twice, it appeared to function fine when the company released an RSR update for iOS 16.4.1, iPadOS 16.4.1 and macOS 13.1.1 Ventura in May last year. But, the iOS 16.5.1, iPadOS 16.5.1 and macOS 13.4.1 RSR updates which were released in July 2023 were buggy and broke compatibility with many websites making them unusable, and Apple had to hastily pull the updates. We haven't seen any RSR updates since then.