Getty Images

Apple warns 2 macOS zero-day vulnerabilities under attack

The macOS Sequoia vulnerabilities are the latest to be targeted and exploited by threat actors as cybersecurity vendors report a shift in the landscape.

Apple disclosed and patched two zero-day vulnerabilities in macOS Sequoia that have been exploited in the wild.

In a security update published on Tuesday, Apple disclosed and released patches for two zero-day vulnerabilities, tracked as CVE-2024-44308 and CVE-2024-44309, that were addressed in macOS Sequoia version 15.1.1. Apple credited Clément Lecigne and Benoît Sevens, security engineers for Google's Threat Analysis Group (TAG), with discovering both flaws.

Both flaws are triggered when users interact with a malicious webpage. Exploitation of CVE-2024-44308 could lead to arbitrary code execution, and threat actors who exploit CVE-2024-44309 could conduct cross-site scripting attacks.

"Apple is aware of a report that this issue may have been actively exploited on Intel-based Mac systems," Apple wrote in the security advisory for both flaws.

Apple said it addressed CVE-2024-44308, which TAG researchers discovered in JavaScriptCore, with improved checks. The researchers found CVE-2024-44309 in the WebKit. Apple determined that it was a cookie issue and fixed it with improved state management. Apple typically provides limited information in security advisories, so the scope of the exploitation activity and technical details of the vulnerabilities are unknown.

The vulnerabilities were fixed in Safari 18.1.1, iOS 17.7.2, iPadOS 17.7.2, macOS Sequoia 15.1.1, iOS 18.1.1, iPadOS 18.1.1 and visionOS 2.1.1, according to a Tenable blog post.

Satnam Narang, senior staff research engineer at Tenable, told TechTarget Editorial that Apple is known for providing limited technical details in their advisories. However, he highlighted one aspect of Apple's advisory.

"The one interesting aspect about these two zero days is that the advisories called out exploitation specifically for Intel-based Mac systems, which are now considered legacy products for Apple. Apple switched over to their own Apple silicon in late 2020," Narang said. "Typically, zero-day exploitation of vulnerabilities is part of limited, targeted attacks. When you add that these were attributed to researchers at Google's Threat Analysis Group, which are often tasked with investigating targeted attacks, it supports that hypothesis. Until Googles Threat Analysis Group publishes their own research into the attacks, we won’t know more than what's in the advisories."

Several cybersecurity companies have noted an increase in Mac-based attacks this year. Last month, security vendor Trellix published a blog post titled "MacOS Malware Surges as Corporate Usage Grows." Trellix researchers cited a shift observed across the Mac malware landscape over the past few years as more organizations adopt macOS devices.

Trellix warned that the new trend has garnered the attention of a variety of cybercriminals and advanced persistent threat actors. The blog post named the Lazarus Group, a North Korean APT group, as one that has shifted focus to target macOS as usage rises.

Laura Brosnan, senior information security specialist at Red Canary, also published a blog post last month on the rising trend. Like Trellix, Brosnan said adversaries are increasingly targeting macOS devices as they become more widely used among organizations. She highlighted a surge in Mac malware, including Atomic Stealer, Poseidon Stealer and Cthulhu Stealer.

"In fact, many people still hold the belief that macOS is immune to malware -- a dangerous misconception," Brosnan wrote in the blog post. "However, 2024 has shattered that illusion."

SentinelOne published a blog post on a new attack that targeted cryptocurrency-related businesses using Macs earlier this month. Similar to Trellix, SentinelLabs researchers assessed that the activity is related to North Korea-affiliated threat actors. They observed one concerning but consistent trend throughout the campaign where threat actors manipulated valid Apple developer accounts to have their malware notarized by Apple to bypass built-in security products.

"In light of this and the general increase in macOS crimeware observed across the security industry, we encourage all macOS users, but particularly those in organizational settings, to harden their security and increase their awareness of potential risks," SentinelLabs wrote in the blog post.

Arielle Waldman is a news writer for TechTarget Editorial covering enterprise security.

Dig Deeper on Threats and vulnerabilities