Apple's November Vulnerabilities
CVE-2024-11691: WebGL Operations and Memory Corruption
In November 2024, a critical vulnerability specific to Apple silicon M series devices was disclosed. This flaw, found in Apple's GPU driver, caused an out-of-bounds write and memory corruption during certain WebGL operations. Notably, this vulnerability affected Firefox and Thunderbird versions on Apple M series hardware. Other platforms remained unaffected.
Affected Versions:
Firefox versions earlier than 133
Firefox ESR earlier than 128.5 and 115.18
Thunderbird earlier than 133, 128.5, and 115.18
This issue highlights the challenges of platform-specific vulnerabilities and emphasizes the need for proactive driver and software testing.
CVE-2024-44308 and CVE-2024-44309: Exploitable Issues in Apple's Ecosystem
Two additional vulnerabilities, CVE-2024-44308 and CVE-2024-44309, were reported within Safari and macOS environments:
CVE-2024-44308: Arbitrary Code Execution via Malicious Web Content
Severity: 8.8 (High)
Platforms Affected: Safari, iOS, iPadOS, macOS Sequoia, and visionOS
Resolution: Improved checks were introduced to prevent arbitrary code execution.
Exploit Status: Actively exploited on Intel-based Mac systems.
CVE-2024-44309: Cross-Site Scripting via Cookie Management
Severity: 6.1 (Medium)
Platforms Affected: Similar scope to CVE-2024-44308.
Resolution: Enhanced state management to mitigate cookie manipulation.
Exploit Status: Actively exploited on Intel-based Mac systems.
These vulnerabilities demonstrate the critical need for thorough review in handling web content and cookie states, especially in widely-used applications like Safari.
CVE-2024-50106: Linux Kernel Race Condition
A race condition vulnerability affecting the Linux kernel's Network File System (NFS) daemon was also disclosed. Although not directly tied to Apple, this issue is notable for its technical complexity and potential impact on Apple Virtualization platforms.
Key Issue:
The race condition arises during the handling of revoked delegations and free_stateid operations, leading to a use-after-free bug. This manifests as kernel crashes and system instability.
Resolution:
The Linux community addressed this by refining state coordination mechanisms to prevent improper handling of state identifiers.
Conclusion
November 2024 underlined the importance of timely updates and robust security practices. Apple users, particularly those on Safari or Intel-based Mac systems, are advised to upgrade to the latest software versions. The CVE disclosures serve as a reminder of the evolving landscape of security threats and the necessity of vigilance in both proprietary and open-source ecosystems.