Apple has rolled out urgent security updates to fix two zero-day critical vulnerabilities affecting Mac users that have been actively exploited in the wild.
According to the Cupertino giant, the zero-day vulnerabilities, CVE-2024-44308 and CVE-2024-44309, are only actively exploited on Intel-based Mac systems.
“Apple is aware of a report that this issue may have been exploited,” the company said in an advisory published on Tuesday.
The first vulnerability, CVE-2024-44308, is related to JavaScriptCore, which could lead to arbitrary code execution when processing maliciously crafted web content.
On the other hand, the second vulnerability, CVE-2024-44309, is related to WebKit, the engine that powers Safari and web content on Apple devices.
It could lead to a cross-site scripting (CSS) attack when processing maliciously crafted web content.
While the CVE-2024-44308 vulnerability was addressed with improved checks, the CVE-2024-44309 flaw, a cookie management issue, was addressed with improved state management.
These vulnerabilities were discovered and reported by Clément Lecigne and Benoît Sevens of Google’s Threat Analysis Group (TAG), which tracks cyberattacks mostly linked to government-backed actors.
Apple has not provided any information on how the above vulnerabilities were exploited.
However, it has strongly urged its macOS users to immediately update to macOS Sequoia 15.1.1, which addresses the security flaws.
It has also released the latest versions of iOS and iPadOS and recommends that iPhone and iPad users update promptly to mitigate potential security threats.
To download macOS software updates, go to Apple menu > System Settings, click General in the sidebar of the window that opens, then click Software Update on the right.
For software updates on iPhone or iPad, go to Settings > General > Software Update > Check for the update and install.
