Reprinted from TidBITS by permission; reuse governed by Creative Commons
license BY-NC-ND 3.0. TidBITS has offered years of thoughtful commentary
on Apple and Internet topics. For free email subscriptions and access to the
entire TidBITS archive, visit http://www.tidbits.com/


           Apple Updates Block Two Zero-Day Security Vulnerabilities

   Adam Engst

   Apple has released a flurry of updates in response to a pair of
   security vulnerabilities that the company says 'may have been actively
   exploited on Intel-based Mac systems.' That's an unusual level of
   specificity for Apple, especially given that the vulnerabilities are in
   core code shared by other platforms.

   The two vulnerabilities are highly problematic. The JavaScriptCore
   vulnerability allows for arbitrary code execution, and the WebKit
   vulnerability enables maliciously crafted Web content to lead to a
   cross-site scripting attack. Both vulnerabilities were identified by
   Clément Lecigne and Benoît Sevens of Google's Threat Analysis Group.

   [1]Apple's updates so far include:
     * macOS 15.1.1 Sequoia
     * iOS 18.1.1 and iPadOS 18.1.1
     * iOS 17.7.2 and iPadOS 17.7.2
     * visionOS 2.1.1
     * Safari 18.1.1 for macOS 14 Sonoma and macOS 13 Ventura

   The release notes are identical for all of them, and there's no
   indication that anything else has changed. I wouldn't be surprised if
   tvOS is technically vulnerable but not worth updating, and it's hard to
   imagine watchOS or HomePod Software being vulnerable in any real way.

   Given the severity of these vulnerabilities and the fact that they have
   been exploited in the wild, I encourage you to install these updates
   soon.

References

   1. https://support.apple.com/en-us/100100

.