Update Nov. 21, 2024: This story, originally published Nov. 20, now includes details of a new CISA warning, as well as more expert advice on the fixes issued in iOS 18.1.1 and iOS 17.7.2.
Apple has issued iOS 18.1.1, an emergency iPhone update that you should apply now. That’s because iOS 18.1.1 fixes two serious security vulnerabilities, both of which are already being used in real-life attacks.
Apple doesn’t give much information about what’s fixed in iOS 18.1.1, to give people as much time to update as possible before more attackers get hold of the details. But the iPhone maker does say the iOS 18.1.1 update “provides important security fixes and is recommended for all users.”
Tracked as CVE-2024-44308, the first issue patched in iOS 18.1.1 is a flaw in the JavaScriptCore framework that could result in code execution if the user interacts with maliciously crafted web content. “Apple is aware of a report that this issue may have been actively exploited on Intel-based Mac systems,” the iPhone maker said on its support page.
The second issue patched in iOS 18.1.1, tracked as CVE-2024-44309, is a flaw in WebKit, the engine that underpins Apple’s Safari browser. If exploited, a user could fall victim to a cross-site scripting attack, which sees an attacker inject malicious code into a trusted website or application.
Again, Apple said it is aware of a report that this issue “may have been actively exploited on Intel-based Mac systems.”
Alongside iOS 18.1.1, Apple has also released iOS 17.7.2, for people with older devices or who do not want to upgrade to iOS 18 yet, fixing the same two vulnerabilities.
Apple has also released macOS Sequoia 15.1.1 and visionOS 2.1.1 to fix the already-exploited flaws.
New CISA Warning—Update To iOS 18.1.1 Or iO 17.7.2
The US Cybersecurity and Infrastructure Agency (CISA) has also issued a warning, telling businesses and users to update to iOS 18.1.1 or iOS 17.7.2, macOS Sequoia 15.1.1, visionOS 2.2.2 and Safari 18.1.1 as soon as possible. “Apple released security updates to address vulnerabilities in multiple Apple products,” the CISA alert says.
CISA says the Apple updates are important because “a cyber threat actor could exploit some of these vulnerabilities to take control of an affected system.”
With this in mind, the agency says it encourages users and administrators to review the advisories and “apply necessary updates.”
Why You Should Update To iOS 18.1.1 Now
While there are only two vulnerabilities fixed in iOS 18.1.1, they are “significant,” says Sean Wright, head of application security at Featurespace. “The JavaScriptCore vulnerability could allow attackers to remotely target victims to execute code on their devices,” he says. “This code would hopefully be limited to existing sandbox protections, but it could allow attackers to do things such as redirect users to malicious sites and potentially steal session tokens.”
The other vulnerability in WebKit could have a similar impact to the JavaScriptCore vulnerability, says Wright. Due to the way Apple enforces browsers on its ecosystem, this will likely affect all browsers across the tech giant’s ecosystem including iPhones, iPads and Macs, he says.
Apple’s iOS 18.1.1 and iPadOS 18.1.1 include two important security fixes to bugs that could allow attackers to remotely compromise a user’s device, says Michael Covington, VP of Strategy at Jamf.
While Apple has warned that the vulnerabilities, also present in macOS, may be actively exploited on Intel-based systems, he recommends “updating any device that is at risk.”
CVE-2024-44308 allows attackers to compromise the device when malicious code is injected in the web content, says Covington.
CVE-2024-44309 , the flaw in WebKit, enables cross-site scripting attacks by exploiting how cookies are managed, Covington explains. “Vulnerabilities in WebKit are important to patch quickly as it is the framework that powers Safari, and also presents other web-based content to users.”
Given that the two vulnerabilities patched in iOS 18.1.1 are being used in attacks, Wright advises “updating as soon as you can.”
Also, be extra vigilant about the sites you browse and any links that you click on, he says.
The fixes provided by Apple introduce stronger checks to detect and prevent malicious activity, as well as improve how devices manage and track data during web browsing, Covington adds.
With attackers potentially exploiting both vulnerabilities, he says it is “critical that users and mobile-first organisations apply the latest patches as soon as they are able.”
Apple’s iOS 18.1.1 is available for the Phone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later and iPad mini 5th generation and later.
Make no mistake, the flaws patched in iOS 18.1.1 and iOS 17.7. 2 are serious, hence Apple’s need to issue this as an emergency, security-only iPhone update. You know what to do, go to your Settings > General > Software Update and download and install iOS 18.1.1 or 17.7.2 now.
Read the full article here