CERT-In has issued a high-severity advisory warning users of Apple devices about multiple vulnerabilities that could allow attackers to execute arbitrary code or perform cross-site scripting (XSS) attacks.
The advisory affects several Apple products, including iPhones, iPads, and Macs, and urges users to update their devices to the latest software versions.
Vulnerability details
Two vulnerabilities have been identified: Arbitrary Code Execution Vulnerability (CVE-2024-44308)
This issue exists in JavaScriptCore, which is used by Apple’s Safari browser and other applications to process JavaScript. Attackers can exploit the vulnerability by sending malicious web content, enabling them to execute arbitrary code on affected devices.
Cross-Site Scripting Vulnerability (CVE-2024-44309)
This vulnerability affects WebKit, the engine powering Safari and other web content on Apple devices. It can be exploited through malicious web content, leading to cross-site scripting attacks.
CERT-In has noted the possibility of actively exploiting these vulnerabilities, particularly on Intel-based Mac systems.
Affected devices
The vulnerabilities affect the following Apple products:
Apple iOS and iPadOS versions prior to 18.1.1 and 17.7.2
Apple macOS Sequoia versions prior to 15.1.1
Apple visionOS versions prior to 2.1.1
Apple Safari versions prior to 18.1.1
Users of Intel-based Macs, iPhones, and iPads are at high risk.
What users should do
CERT-In recommends updating affected devices to the latest software versions to mitigate the risks.
iPhone and iPad users should install iOS 18.1.1 or iOS 17.7.2.
Mac users should update to macOS Sequoia 15.1.1.
visionOS users should upgrade to version 2.1.1.
Safari users should ensure they are using version 18.1.1.
Keeping devices updated with the latest patches can help protect against unauthorised access, data theft, and system compromise. Apple users should apply these updates immediately to secure their devices.
