Apple Releases Updates for Zero-Day Security Vulnerabilities

Apple has issued a software update for affected devices and its browser after identifying and patching two "zero-day" security vulnerabilities that primarily impacted Mac systems based on Intel processors. The company recommended that users update their systems as soon as possible to mitigate exploitation risks.

According to Apple’s security releases homepage, the company has provided security updates and rapid security responses for several operating systems: macOS Sequoia 15.1.1, iOS 17.7.2 and iPadOS 17.7.2, iOS 18.1.1 and iPadOS 18.1.1, visionOS 2.1.1, and Safari 18.1.1. The identified vulnerabilities, registered under CVE-IDs 2024-44308 (JavaScriptCore) and 2024-44309 (WebKit), allowed the execution of malicious code and cross-site scripting (XSS) attacks by manipulating web content.

Apple reported that the issues were, “addressed with improved checks”. However, the company also released recommendations for users to install the latest update on their devices to ensure data security.

The update includes specific fixes for several Apple operating systems:

• iPhone and iPad: iOS Version 18.1.1, which also includes improvements related to artificial intelligence features.

• Mac: Sequoia Version 15.1.1, aimed at addressing flaws identified on Intel processor-based devices.

• Vision Pro: Version OS 2.1.1, focused on fixing bugs in the mixed reality glasses system.

In addition to addressing the vulnerabilities, the update integrates additional enhancements to Apple Intelligence, a suite of artificial intelligence-driven features that expand the capabilities of compatible devices.

Appe emphasized that the malware associated with these vulnerabilities remains active on the internet, underscoring the urgent need to implement updates immediately. This highlights the importance of keeping systems up to date as a key practice in protecting against cyberattacks.

Relevance of the Case 

WebKit has historically been a frequent target of cybercriminals due to its direct access to browser structure and, potentially, sensitive data stored on devices. "Zero-day" vulnerabilities are especially critical because attackers exploit them before developers can fix them, requiring a quick and effective response from technology companies.

In this instance, the flaws allowed attackers to execute arbitrary code by manipulating web content, potentially granting them access to the device's software and, by extension, to users' private data. However, according to Kaspersky, the damaging potential of such vulnerabilities can be far-reaching, potentially affecting entire operating systems, applications, open-source components, hardware, and even Internet of Things (IoT) devices.