The Mac Security Blog

Security & Privacy

Urgent Apple security updates fix 2 “actively exploited” flaws in macOS, iOS, and more

Posted on by

On Tuesday, November 19, Apple released urgent operating system updates for macOS, iOS, iPadOS, and visionOS. These updates fix vulnerabilities that “may have been actively exploited” in the wild.

Here’s everything we know about these critical security updates.

In this article:

  • What Apple patched
  • What Apple didn’t patch
  • How to install Apple security updates
  • How can I learn more?

What Apple patched

Apple patched the same two vulnerabilities for all of the following operating systems:

  • macOS Sequoia 15.1.1
  • macOS Ventura and macOS Sonoma (via Safari 18.1.1)
  • iOS 18.1.1 and iPadOS 18.1.1
  • iOS 17.7.2 and iPadOS 17.7.2
  • visionOS 2.1.1

Those two vulnerabilities are as follows:

JavaScriptCore
Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited on Intel-based Mac systems.
Description: The issue was addressed with improved checks.
WebKit Bugzilla: 283063
CVE-2024-44308: Clément Lecigne and Benoît Sevens of Google’s Threat Analysis Group

 

WebKit
Impact: Processing maliciously crafted web content may lead to a cross-site scripting attack. Apple is aware of a report that this issue may have been actively exploited on Intel-based Mac systems.
Description: A cookie management issue was addressed with improved state management.
WebKit Bugzilla: 283095
CVE-2024-44309: Clément Lecigne and Benoît Sevens of Google’s Threat Analysis Group

Interestingly, Apple only claims to be aware of these vulnerabilities having been used against Intel Macs. This suggests that perhaps they may have been used in highly targeted attacks against an organization or individuals who were known to still be using Mac models from before Apple’s transition to Apple silicon (M1 chips) in 2020.

Apple also reverted to referring to “exploited” vulnerabilities as “actively exploited.”

What Apple didn’t patch

It’s important to note that Apple did not release security updates for any of the following operating systems:

  • watchOS 11 — the current Apple Watch operating system
  • tvOS 18 — the current Apple TV operating system
  • macOS Monterey — no security updates since July 2024
  • iOS 16 and iPadOS 16 — no security updates since August 2024
  • watchOS 10 — no updates since August 2024

The specific bugs that Apple patched in this week’s updates presumably impact all Apple operating systems that include WebKit—the page-rendering engine used throughout the OS, not just in the Safari browser. Both watchOS and tvOS rely on WebKit as an underlying technology, despite the lack of a standalone Safari browser.

What about older devices that can’t be upgraded?

If you have an older device that cannot be upgraded to the latest version of iOS or iPadOS (18.x), or watchOS (11.x), you should strongly consider purchasing a newer model. Any model of iPhone, iPad, or Apple Watch that Apple currently sells can run the newest operating systems and thus get all available security updates.

If you have a Mac that’s still running macOS Monterey or older, be sure to check the Mac App Store to see whether your Mac is officially compatible with macOS Sequoia. If not, you may be able to upgrade your Mac to macOS Sequoia unofficially—without Apple’s support or blessing.

Old vulnerabilities remain unpatched

Meanwhile, Apple continues to leave open-source software components in macOS Sequoia critically outdated and highly vulnerable. For example, Sequoia still includes LibreSSL 3.3.6, which is more than 2.5 years old and contains at least four known vulnerabilities, including two rated “9.8 CRITICAL” on the CVSS scale. The latest stable release is 4.0.0, released on October 14; the last 3.x version was 3.9.2, released on May 12.

Additionally, Apple has once again neglected to patch a Safari bug for macOS, iOS, and iPadOS that the company has known about for more than 5.5 years. The bug makes it easy to spread misinformation via iMessage featuring fake news headlines that appear to come from credible sources.

In spite of these lingering issues, we recommend upgrading to macOS Sequoia to address a plethora of other vulnerabilities. If your Mac is not on Apple’s compatibility list for macOS Sequoia, you should consider buying a new Mac; learn which one is ideal for you. Or, if you like living on the edge, you can upgrade your old Mac to macOS Sequoia without Apple’s support or blessing.

How to install Apple security updates

Given that all this week’s patched vulnerabilities were reportedly exploited in the wild, it is ideal to update as soon as you reasonably can.

For macOS updates

If you haven’t yet upgraded to macOS Sequoia, be sure to first update any software that’s important to you. For example, run Intego’s NetUpdate utility and install all available updates, and then check for updates for all other software that you use regularly. Next, check for macOS updates by going to System Settings > General > Software Update. Alternatively, go to the Spotlight (🔍) menu and search for Software Update, and open it from the search results.

If you have any trouble getting the macOS update to show up, either press ⌘R at the Software Update screen, or type in the Terminal softwareupdate -l (that’s a lowercase L) and press Return/Enter, then check System Settings > General > Software Update again.

If you have an iMac Pro or a MacBook Pro (2018) that’s still running macOS High Sierra, look for macOS Sequoia in the Mac App Store and download it from there instead.

Note that only the latest macOS version (currently, that’s macOS Sequoia) is ever fully patched; older macOS versions only get a subset of those patches and remain vulnerable. Therefore, staying on the latest macOS version is critically important for maintaining your security and privacy. For more information, see our article, “When does an old Mac become unsafe to use?

For other Apple OS updates released this week

Users of iPhone or iPad can open the Settings app and choose General > Software Update to update iOS or iPadOS on their devices. (This is called an “over the air” or OTA update.) Alternatively, you can connect your device to your Mac, click on the device name in a Finder window sidebar, and check for updates there; or, if you use a Windows PC, you can use the Apple Devices app.

To update visionOS on your Apple Vision Pro, Apple recommends that you first back up your device to iCloud. Then go to Settings > General > Software Update to check for updates.

For Apple operating systems not updated this week

Apple did not release a watchOS update this week. But here’s how to update watchOS on your Apple Watch, for future reference. First, update your iPhone to the latest operating system it can support (ideally the latest version of iOS 18). Next, ensure that both your iPhone and Apple Watch are on the same Wi-Fi network. Your Apple Watch also needs to have at least a 50% charge. Then open the Watch app on your iPhone and tap General > Software Update.

Apple also did not release a tvOS update this week. But to update tvOS on your Apple TV, open the Settings app and choose System > Software Updates.

Similarly, Apple did not release a HomePod update this week. HomePod Software (sometimes called audioOS or HomePodOS) should update automatically. However, if you would like to update your HomePod or HomePod mini’s operating system manually, you can go into the Home app on your iPhone or iPad, then tap the House icon > Home Settings > Software Update > temporarily disable (toggle off) Install Updates Automatically > then tap Install. After updating, remember to re-enable the Install Updates Automatically setting. Note that Apple has never mentioned this operating system on its security updates page; nevertheless, since HomePod Software always shares the same build number as tvOS, one can reasonably assume that any security issues addressed in tvOS are also fixed in HomePod Software.

It’s wise to back up before updating

Whenever you’re preparing to update macOS, iOS, iPadOS, or visionOS, it’s a good idea to always back up your data before installing any updates. This gives you a restore point if something doesn’t go as planned. See our related article on how to check your macOS backups to ensure they work correctly.

How to Verify Your Backups are Working Properly

See also our article on how to back up your iPhone or iPad to iCloud and to your Mac.

Should you back up your iPhone to iCloud or your Mac? Here’s how to do both

How can I learn more?

Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, including security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.

You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: Follow Intego on X/Twitter Follow Intego on Facebook Follow Intego on YouTube Follow Intego on LinkedIn Follow Intego on Pinterest Follow Intego on Instagram Follow the Intego Mac Podcast on Apple Podcasts

About Joshua Long

Joshua Long (@theJoshMeister), Intego's Chief Security Analyst, is a renowned security researcher and writer, and an award-winning public speaker. Josh has a master's degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple ID authentication vulnerability. Josh has conducted cybersecurity research for more than 25 years, which is often featured by major news outlets worldwide. Look for more of Josh's articles at security.thejoshmeister.com and follow him on X/Twitter, LinkedIn, and Mastodon. View all posts by Joshua Long →