Apple has released an emergency patch to fix two vulnerabilities that hackers have exploited to target Intel-based Mac computers.
The previously unknown “zero-day” flaws led Apple to issue patches for macOS, iOS, and iPadOS. Details are thin, but both bugs involve a Mac, iPhone, or iPad processing “maliciously crafted web content” to trigger the operating system to execute rogue computer code.
“Apple is aware of a report that this issue may have been actively exploited on Intel-based Mac systems,” the company said for both vulnerabilities.
One of the flaws, CVE-2024-44309can cause a cross-site scripting attack through Apple’s WebKit browser engine, which is used in Safari and web browsers for iOS and iPadOS. The resulting attack can inject malicious computer code into a legitimate website or app.
Meanwhile, the second vulnerability, CVE-2024-44308can trigger Apple’s JavaScriptCore software to run malicious computer code without the user’s permission. Apple’s advisory suggests hackers used both flaws together to target older Intel-based Macs, which the company started transitioning away from in 2020 in favor of using its own Arm-based M chips.
Recommended by Our Editors
Apple learned about the vulnerability from Google security researchers Clément Lecigne and Benoît Sevens. Both work for the company’s Threat Analysis Group, which focuses on countering government-backed hacking. Hence, there’s a good chance a state-sponsored hacker or commercial spyware vendor used the vulnerabilities to target specific users.
In response, Apple released patches with macOS Sequoia 15.1.1, iOS 18.1.1, and iPadOS 18.1.1. Those on iOS 17 and iPadOS 17 or who own the Apple Vision Pro headset can also receive the fix. To install the patch on an iPhone, go to Settings > General > Software Update. The device can also patch itself automatically if you’ve switched on automatic updates. Mac users can patch by going to the Apple icon > System Settings > General > Software Update.
Like What You’re Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
About Michael Kan
Senior Reporter
I’ve been working as a journalist for over 15 years—I got my start as a schools and cities reporter in Kansas City and joined PCMag in 2017.
Read Michael’s full bio