PSA: Update your Mac right now to patch this actively exploited zero-day flaw

Ahead of the eagerly anticipated macOS 15.2 update, Apple on Tuesday released the macOS Sequoia 15.1.1 emergency update to patch a pair of scary vulnerabilities that have already been used in remote attacks. 

The two patches fix flaws in JavaScript and WebKit, and were both discovered by Google’s Threat Analysis Group. Apple says both vulnerabilities “may have been actively exploited on Intel-based Mac systems.” Apple doesn’t specifically say whether Apple silicon Macs are affected, but the same flaws were patched in iOS 18.1.1.

JavaScriptCore

• Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited on Intel-based Mac systems.
• Description: The issue was addressed with improved checks.
• WebKit Bugzilla: 283063
• CVE-2024-44308: Clément Lecigne and Benoît Sevens of Google’s Threat Analysis Group

WebKit

• Impact: Processing maliciously crafted web content may lead to a cross site scripting attack. Apple is aware of a report that this issue may have been actively exploited on Intel-based Mac systems.
• Description: A cookie management issue was addressed with improved state management.
• WebKit Bugzilla: 283095
• CVE-2024-44309: Clément Lecigne and Benoît Sevens of Google’s Threat Analysis Group

While the update is available for all Macs running macOS 15.1, there is no release for Macs running macOS Sonoma 14.7.1 or Ventura 13.7.1. Apple will likely patch the same vulnerabilities in those systems when macOS 15.2 arrives in December.

To update your Mac, head over to System Settings, then General, Software Update, and select Update Now. Then follow the prompts to restart.