All iPhone users warned ‘update now’ over two serious security risks

Installing a “important” security update on iPhones is advised to prevent hackers from gaining access to the devices.

A new security update released by Apple addresses two critical flaws that let remote attackers compromise iPhones.

The update, which is available for download today, is called OS 15.1.1 for Mac users and iOS 18.1.1 for iPhone users.

Michael Covington, vice president of strategy at security company Jamf, recommended users and mobile-first organizations to deploy the most recent updates as quickly as possible because attackers may exploit both vulnerabilities.

Below is a list of the defects:

• CVE-2024-44308 – A vulnerability in JavaScriptCore that could lead to arbitrary code execution when processing malicious web content
• CVE-2024-44309 – A cookie management vulnerability in WebKit that could lead to a cross-site scripting (XSS) attack when processing malicious web content

Although this may seem confusing to the normal individual, Covington explains it.

“CVE-2024-44308 is a vulnerability in JavaScriptCore, a framework for running JavaScript code in apps and web browsers,” he states.

He went on to say that “when malicious code is injected into the web content,” such as a web page or link, “it allows attackers to compromise the device.”

The second vulnerability, CVE-2024-44309, was discovered in WebKit and allows hackers to attack cookie management and insert malware into reliable websites.

Web cookies provide websites the ability to remember you, your login credentials, and occasionally even your financial information—information you don’t want hackers to have access to.

“It’s critical to promptly address vulnerabilities in WebKit,” Covington said.

“It is the framework that powers Safari, and also presents other web-based content to users.”

Apple has cautioned that hackers may have already taken advantage of both vulnerabilities on Mac systems.

We don’t know much about these possible attacks, though.

The vulnerabilities were found by Cl ment Lecigne and Beno t Sevens of Google’s Threat Analysis Group (TAG).

The Hacker News said that the vulnerabilities might have been part of a mercenary or government-sponsored targeted spyware attack.

Stronger tests to identify malicious behavior have been added by the security update.

When iPhone users use the Safari web browser, Apple has also made improvements to the way devices track and manage data.