WWW.COMPUTERWEEKLY.COM
Apple addresses two iPhone, Mac zero-days
Apple has dropped a series of software updates across its various product lines as it aims to ward off the impact of two newly discovered zero-days, both of which may have already been exploited in the wild.The fixes for CVE-2024-44308 and CVE-2024-44309 both attributed to Clment Lecigne and Benot Sevens of the Google Threat Analysis Group affect devices running iOS and iPadOS 17.7.2 and 18.1.1, macOS Sequoia 15.1.1, and visionOS 2.1.1. They are also present in Safari 18.1.1.CVE-2024-44308 affects the JavaScriptCore framework and enables a threat actor to achieve arbitrary code execution if the target device can be made to process maliciously crafted web content. According to Apple, there are reports that it has already been actively exploited on Intel-based Mac systems.CVE-2024-44309 affects the open source WebKit browser engine used extensively within the Apple ecosystem, and is described as a cookie management issue that enabled a threat actor to conduct a cross-site scripting (XSS) attack.In an XSS attack, a threat actor is able to insert malicious data into content from trusted websites, which is then included with content delivered to the victims browser. They can be used to achieve a number of goals, including session cookie theft enabling the threat actor to masquerade as the victim, but are also used to spread malware and steal credentials.Again, there are reports of in-the-wild exploitation of CVE-2024-44309 against Intel-based Macs.Michael Covington, vice-president of strategy at Jamf, a device management company specialising in Apple products, said that it is very important for defenders to promptly address vulnerabilities in WebKit, given the frameworks criticality to the Safari web browser.The fixes provided byAppleintroduce stronger checks to detect and prevent malicious activity, as well as improve how devices manage and track data during web browsing. With attackers potentially exploiting both vulnerabilities, it is critical that users and mobile-first organisations apply the latest patches as soon as they are able, said Covington.CVE-2024-44309 is not the first issue to affect WebKit identified this year. In late January Apple patched CVE-2024-23222 which also made it into the US Cybersecurity and Infrastructure Security Agencys (CISAs) Known Exploited Vulnerabilities (KEV) catalogue.Also exploited as a zero-day, CVE-2024-23222 was a type confusion flaw leading to arbitrary code execution on the vulnerable deviceAs ever, Apple has provided scant detail on either of these vulnerabilities or how they have been taken advantage of. However, their identification by Google teams that have previously worked on vulnerabilities exploited by predatory commercial spyware vendors such as disgraced Israeli firm NSO may indicate the sort of people to whom these new flaws may be of interest.Apple remains alert to such issues, and notably issued a security alert to iOS users in over 90 countries back in April, after detecting that they were being targeted by a mercenary spyware attack that was remotely compromising their devices.As usual, Apple users who have not enabled automated updates can download the patches by navigating to their devices Settings menu, then to General, then to Software Update.Read more about mobile securityMobile devices bring their own set of challenges and risks to enterprise security. To handle mobile-specific threats, IT should conduct regular mobile security audits.To keep corporate and user data safe, IT must continuously ensure mobile app security. Mobile application security audits are a helpful tool to stay on top of data protection.Behavioural-based biometrics offer tantalising advantages over more traditional biometric solutions. Learn about some of the benefits and potential challenges for safe and secure implementation.
0 Commentarii 0 Distribuiri 17 Views