WebKit exploit: Apple updates iOS, iPadOS, visionOS, macOS 15 and Safari
Apple is pushing iOS 18.1.1, macOS 15.1.1 and visionOS 2.1.1 to stop actively exploited exploits. Users are advised to update quickly.
Apple logo with lock: Update quickly.
(Image: Alberto Garcia Guillen/Shutterstock.com)
Apple updated all of its operating systems on Wednesday night to close dangerous security vulnerabilities in the WebKit browser engine. These were discovered by Clément Lecigne and Benoît Sevens from Google's Threat Analysis Group (TAG). According to Apple, there are reports that the bugs are already being actively used against – unspecified – targets, so exploits already exist. You should therefore update quickly.
Which updates are available
The two vulnerabilities are closed with updates to iOS 18.1.1 and iPadOS 18.1.1, macOS 15.1.1 and visionOS 2.1.1. Apple also provides users of iOS 17 and iPadOS 17 with fixes, which are included in the new versions iOS 17.7.2 and iPadOS 17.7.2. Users of macOS 13 and 14 (Ventura and Sonoma) do not need to update their operating system; they only need to update to Safari 18.1.1. As usual, all updates are triggered via the system settings.
Videos by heise
The patched bugs have the CVE IDs 2024-44308 and 2024-44309 (WebKit Bugzilla: 283063 and 283095). The first bug is in JavaScriptCore and can lead to the execution of arbitrary code just by accessing a website. Apple fixes this with "improved checks". The second bug also allows cross-site scripting attacks via manipulated websites. There was a cookie management problem here, which Apple has fixed.
No further details on the exploit yet
Both bugs may have been exploited in combination, but it is still unclear exactly how. According to Apple, only Intel-based Mac systems have been attacked so far, but the gap also affects Apple Silicon. It is to be hoped that Google's TAG will provide more details in the future, as there has been no new entry on the security team's official blog to date.
Apple itself rarely provides details about such exploits, leaving this to the discoverers. This is bad news for manufacturers of anti-malware products, as they cannot initially search for possible infections. Google's TAG has already discovered numerous vulnerabilities in Apple systems in the past and also works together with press and human rights activists.
Empfohlener redaktioneller Inhalt
Mit Ihrer Zustimmung wird hier ein externer Preisvergleich (heise Preisvergleich) geladen.
Ich bin damit einverstanden, dass mir externe Inhalte angezeigt werden. Damit können personenbezogene Daten an Drittplattformen (heise Preisvergleich) übermittelt werden. Mehr dazu in unserer Datenschutzerklärung.
(bsc)
