Apple has rolled out security updates for iOS, iPadOS, macOS, visionOS, and Safari to patch two zero-day vulnerabilities that are reportedly being actively exploited in the wild. These flaws, tracked as CVE-2024-44308 and CVE-2024-44309, affect the WebKit framework.
One of the vulnerabilities (CVE-2024-44308) reside in JavaScriptCore and allows arbitrary code execution when processing malicious web content. Apple has addressed the issue with improved input validation checks.
The second flaw (CVE-2024-44309) is a cookie management in WebKit that could enable cross-site scripting (XSS) attacks when handling malicious web content. Apple implemented enhanced state management to resolve the issue.
Although Apple has acknowledged that the vulnerabilities “may have been actively exploited on Intel-based Mac systems,” the company has withheld specific details about the nature of the exploitation.
The security patches are included in iOS 18.1.1 and iPadOS 18.1.1, iOS 17.7.2 and iPadOS 17.7.2, macOS Sequoia 15.1.1 (Intel-based systems), visionOS 2.1.1 (Apple Vision Pro), Safari 18.1.1 (for macOS Ventura and macOS Sonoma).
In parallel, Oracle has patched a critical remote execution flaw in its Agile Product Lifecycle Management (PLM) Framework that is being actively exploited in the wild.
Tracked as CVE-2024-21287, the flaw exits due to missing authorization within the Software Development Kit, Process Extension component. A remote non-authenticated attacker can send a specially crafted HTTP request and view arbitrary file on the system.
Users are strongly advised to apply security fixes as soon as possible to prevent the exploitation.