Facepalm: Google researchers have discovered a couple of zero-day vulnerabilities in Apple's WebKit components. The flaws have already been patched, but Cupertino strongly urges users to update their systems as soon as possible since it believes hackers are exploiting the security holes in the wild.
Apple found two dangerous vulnerabilities in its operating systems' JavaScriptCore and WebKit components. The security issues only affect Intel-based systems. However, the security updates apply to all Apple computer platforms.
The first flaw (CVE-2024-44308) impacts the JavaScriptCore framework that provides the JavaScript engine included in WebKit. Maliciously crafted web content could lead to arbitrary code execution. Apple noted that unknown threat actors may have exploited the flaw on Intel-based Mac systems.
The second vulnerability (CVE-2024-44309) affects the WebKit layout engine used by Safari and a few other web browsers. The flaw could allow hackers to develop a cross-site scripting attack targeting Intel Mac systems.
Bad actors looking to crack Apple devices have constantly targeted WebKit as its biggest weakness. Once the web browser is compromised, hackers can push their attack further into the system for various purposes, including weaponizing iPhones, stealing user data, and eavesdropping on communications between susceptible targets.
Clément Lecigne and Benoît Sevens of Google's Threat Analysis Group, a security team created to counter government-backed hacking activities, discovered the flaws. Apple devices are often one of the main focuses of commercial spyware platforms, which are known for making a business out of researching and exploiting unknown vulnerabilities for their customers.
Apple hasn't provided specific details regarding the hackers trying to exploit the flaws. Cupertino developers patched the two zero-day issues by improving JS checks in JavaScriptCore and state management in WebKit.
The fixes for JavaScriptCore and WebKit are available in the latest versions of macOS Sequoia (15.1.1), iOS (18.1.1), and iPadOS (18.1.1). The patches also rolled out to iOS 17.7.2 and iPadOS 17.7.2. Additional security updates are available for the Safari browser on macOS Ventura, macOS Sonoma, and the Vision Pro mixed reality headset (visionOS 2.1.1).