CERT-In has issued a high-severity advisory alerting Apple device users to multiple vulnerabilities. The advisory impacts various Apple products, including iPhones, iPads, and Macs, and recommends users update their devices to the latest software versions.
In its advisory note, CERT-In has outlined two significant vulnerabilities affecting a range of Apple products, including:
- iPhones and iPads: Running iOS and iPadOS versions prior to 18.1.1 and 17.7.2.
- MacBooks and Desktops: Using macOS Sequoia versions prior to 15.1.1.
- Vision Pro: Running visionOS versions prior to 2.1.1.
- Safari Browser: Versions earlier than 18.1.1.
Invisible Threat: Zero-Day Apple Exploits
On Nov. 19,Apple issued a critical security alert, revealing that two zero-day vulnerabilities — CVE-2024-44308 and CVE-2024-44309 — had been actively exploited.
A zero-day vulnerability refers to a software flaw unknown to the vendor, with no available patch at the time of discovery. Attackers exploit these vulnerabilities before developers can address them, making zero-day attacks particularly dangerous. In this instance, the vulnerabilities in JavascriptCore and WebKit were exploited to execute malicious code through specially crafted web content.
1. Arbitrary Code Execution (CVE-2024-44308)
This vulnerability resides in JavascriptCore, JavascriptCore is the engine that powers Javascript execution in Apple’s software, including the Safari browser.
Malicious actors can exploit this vulnerability by sending specially crafted web content to execute arbitrary code on the target device. When loaded in the browser, the script exploits the vulnerability, bypassing protections that normally isolate Javascript from accessing sensitive system-level resources. Once the code executes, it can steal personal information, install malware or even grant the attacker remote access to the system.
2. Cross-Site scripting (XSS) (CVE-2024-44309)
This vulnerability exists in WebKit.WebKit is Apple’s open-source browser engine that renders web pages. It handles everything from displaying text and images to running interactive elements on websites. If you’re using Safari, every webpage you load passes through WebKit.
The exploit involves sending carefully crafted web content that causes WebKit to mishandle memory during processing. This creates a “buffer overflow” or similar memory corruption issue, allowing attackers to insert and run their own code.Exploiting this issue involves sending maliciously crafted web content that triggers XSS attacks, potentially allowing attackers to manipulate web pages, steal sensitive data, or impersonate users online.
How to stay safe
To help users protect their Apple devices, CERT-In strongly advises users to update their devices to the latest software versions. To update:
- iPhones and iPads: Go to Settings > General > Software Update and install the latest iOS or iPadOS version.
- MacBooks: Open System Preferences > Software Update and upgrade to macOS Sequoia 15.1.1 or later.
- Vision Pro: Navigate to Settings > Software Update to ensure you’re on visionOS 2.1.1 or above.
- Safari browser: Update to version 18.1.1 via the App Store or through system updates.