Tech giant Apple has released a patch for two zero-day vulnerabilities that hackers have used to exploit Intel-based Mac computers.
According to the Nov. 19 advisory from Apple, both vulnerabilities have been “actively exploited” and involve “processing maliciously crafted web content.”
The vulnerabilities even caught the attention of the co-founder and former CEO of Binance, Changpeng “CZ” Zhao, who chimed in, warning users to update their tech immediately to avoid falling prey to the exploit.
“If you use a Macbook with Intel based chip, update asap!” he said.
One of the flaws, tagged as CVE-2024-44308 by Apple, can trigger JavaScriptCore software to run malicious code without a user’s knowledge or permission. Apple said the issue was “addressed with improved checks.”
The second vulnerability, CVE-2024-44309, can cause a “cross-site scripting attack” through Apple’s WebKit browser engine. A cyberattack of this nature can result in hackers injecting malicious computer code into other websites or apps being used.
Apple said this was “a cookie management issue” and was addressed with “improved state management.”
As is often the case, the tech giant didn’t “disclose, discuss, or confirm” the flaws until it had investigated and crafted a patch to fix them.
A zero-day flaw is a bug or weakness that hackers discover and take advantage of before the software developer has had a chance to patch or address the issue, giving them “zero days” to fix it.
Further details are scarce. It’s unknown who is behind the hack, how many users have been affected, or if any cyberattacks were successful.
The tech giant has listed Google security researchers Clément Lecigne and Benoît Sevens as the ones who found the bugs.
Both are from the company’s Threat Analysis Group, which focuses on countering government-backed hacking and attacks against Google, which could suggest the culprit, in this case, is an unfriendly government.
North Korea targeted Apple users earlier this month. On Nov. 12, researchers caught North Korean hackers going after macOS users with a new malware campaign using phishing emails, fake PDF applications, and a technique to evade Apple’s security checks.
The researchers said it was the first time they had seen this type of tech used to compromise Apple’s macOS operating system, but they found it couldn’t run on up-to-date systems.
In October, North Korean hackers were also caught exploiting a vulnerability in Google’s Chrome to steal crypto wallet credentials.