PSA: Update your Mac right now to patch this actively exploited zero-day flaw

Ahead of the eagerly anticipated macOS 15.2 update, Apple on Tuesday released the macOS Sequoia 15.1.1 emergency update to patch a pair of scary vulnerabilities that have already been used in remote attacks. 

The two patches fix flaws in JavaScript and WebKit, and were both discovered by Google’s Threat Analysis Group. Apple says both vulnerabilities “may have been actively exploited on Intel-based Mac systems.” Apple doesn’t specifically say whether Apple silicon Macs are affected, but the same flaws were patched in iOS 18.1.1.

JavaScriptCore

Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited on Intel-based Mac systems.

Description: The issue was addressed with improved checks.

WebKit Bugzilla: 283063

CVE-2024-44308: Clément Lecigne and Benoît Sevens of Google’s Threat Analysis Group

WebKit

Impact: Processing maliciously crafted web content may lead to a cross site scripting attack. Apple is aware of a report that this issue may have been actively exploited on Intel-based Mac systems.

Description: A cookie management issue was addressed with improved state management.

WebKit Bugzilla: 283095

CVE-2024-44309: Clément Lecigne and Benoît Sevens of Google’s Threat Analysis Group

While the update is available for all Macs running macOS 15.1, there is no release for Macs running macOS Sonoma 14.7.1 or Ventura 13.7.1. Apple will likely patch the same vulnerabilities in those systems when macOS 15.2 arrives in December.

To update your Mac, head over to System Settings, then General, Software Update, and select Update Now. Then follow the prompts to restart.