Apple disclosed and patched two zero-day vulnerabilities in macOS Sequoia that have been exploited in the wild.
In a security update published on Tuesday, Apple disclosed and released patches for two zero-day vulnerabilities, tracked as CVE-2024-44308 and CVE-2024-44309, that were addressed in macOS Sequoia version 15.1.1. Apple credited Clément Lecigne and Benoît Sevens, security engineers for Google’s Threat Analysis Group (TAG), with discovering both flaws.
Both flaws are triggered when users interact with a malicious webpage. Exploitation of CVE-2024-44308 could lead to arbitrary code execution, and threat actors who exploit CVE-2024-44309 could conduct cross-site scripting attacks.
“Apple is aware of a report that this issue may have been actively exploited on Intel-based Mac systems,” Apple wrote in the security advisory for both flaws.
Apple said it addressed CVE-2024-44308, which TAG researchers discovered in JavaScriptCore, with improved checks. The researchers found CVE-2024-44309 in the WebKit. Apple determined that it was a cookie issue and fixed it with improved state management. Apple typically provides limited information in security advisories, so the…
