Safari Addresses Cookie Management Issue, Patches Cross-Site Scripting Flaw
Summary
A cookie management issue was addressed with improved state management. This issue is fixed in Safari 18.1.1, iOS 17.7.2 and iPadOS 17.7.2, macOS Sequoia 15.1.1, iOS 18.1.1 and iPadOS 18.1.1, visionOS 2.1.1. Processing maliciously crafted web content may lead to a cross site scripting attack. Apple is aware of a report that this issue may have been actively exploited on Intel-based Mac systems.
CISA Reported
CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2024-44309 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace as recent news articles suggest the vulnerability is being used by ransomware groups.
The CISA's recommendation is: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
News Articles
CybersecurityNews CVE-2024-44308CVE-2024-44309CISA Warns of Apple & Oracle Agile Vulnerabilities Exploited in Wild
CISA has issued an urgent advisory regarding three critical vulnerabilities affecting Apple and Oracle products.
23 hours ago
Apple warns 2 macOS zero-day vulnerabilities under attack | TechTarget
Apple published a security update with limited details on zero-day vulnerabilities CVE-2024-44308 and CVE-2024-44309 in macOS Sequoia.
3 days ago
Help Net Security CVE-2024-44309CVE-2024-44308Apple fixes 2 zero-days exploited to breach macOS systems (CVE-2024-44309, CVE-2024-44308) - Help Net Security
Apple has released security updates for macOS Sequoia that fix two exploited zero-day vulnerabilities (CVE-2024-44309, CVE-2024-44308).
3 days ago
Timeline
- 👾
Exploit exists.
First article discovered by Help Net Security
Vulnerability published.