CVE-2024-44308

What is Apple JavaScriptCore?

JavaScriptCore (JSC) is the JavaScript engine powering Safari, WebKit-based browsers, and all iOS/iPadOS applications that use WebKit for web content rendering (including all third-party browsers on iOS/iPadOS). JSC compiles and executes JavaScript code encountered on web pages and in web applications — making it one of the most complex and attack-accessible components of the Apple platform. Memory corruption vulnerabilities in the JSC JIT compiler have historically been used as the first stage in browser exploit chains, providing an attacker with code execution in the WebKit renderer sandbox before a separate sandbox escape is used for full OS-level compromise.

Overview

CVE-2024-44308 is a JavaScriptCore vulnerability in Apple iOS, iPadOS, macOS, Safari, and visionOS that allows a remote attacker to achieve arbitrary code execution by serving a maliciously crafted web page. Exploited as a zero-day, Apple released emergency patches on November 19, 2024, acknowledging that the vulnerability "may have been actively exploited on Intel-based Mac systems." The vulnerability was reported by Clément Lecigne and Benoît Sevens of Google's Threat Analysis Group — the same team that tracks exploitation by commercial spyware vendors and nation-state actors. CVE-2024-44308 is a code execution companion to CVE-2024-44309 (a WebKit cross-site scripting vulnerability patched simultaneously), suggesting a two-stage exploit chain.

Affected Versions

Technical Details

CWE-843 (Access of Resource Using Incompatible Type / Type Confusion). JavaScriptCore's JIT compiler makes type assumptions about JavaScript objects for optimization; when those assumptions are violated through crafted JavaScript, memory is accessed using incorrect type layouts, enabling heap corruption. This class of vulnerability (also seen in V8 as CVE-2024-4947, CVE-2024-5274, CVE-2024-7971) is the dominant attack technique against modern JavaScript engines. Controlled heap corruption in the JSC context typically yields:

1. Arbitrary read/write primitives within the WebKit renderer sandbox.
2. Code execution in the WebKit renderer process.
3. (With a second vulnerability for sandbox escape) full OS-level code execution.

Apple's acknowledgment of exploitation "on Intel-based Mac systems" suggests the sandbox escape component may have been OS-version or hardware-specific.

Discovery

Reported by Clément Lecigne and Benoît Sevens of Google's Threat Analysis Group (TAG). TAG discovers vulnerabilities through active monitoring of spyware and nation-state exploit campaigns — their reporting on this zero-day indicates it was found during analysis of an in-the-wild exploitation campaign rather than proactive research.

Exploitation Context

Google TAG's discovery and Apple's "Intel-based Mac" qualifier are consistent with targeted spyware deployment: commercial spyware vendors (NSO Group, Paragon, QuaDream, etc.) and nation-state APTs frequently use browser zero-day chains to silently install surveillance implants on high-value targets (journalists, activists, government officials, executives). The simultaneous patch of CVE-2024-44309 (WebKit XSS) alongside CVE-2024-44308 (JSC RCE) suggests a two-stage chain where the XSS flaw allows injection of malicious content into a trusted origin, which then triggers the JSC RCE.

Remediation

1. Update immediately: iOS/iPadOS to 18.1.1 (or 17.7.2 for older devices), macOS Sequoia to 15.1.1, Safari to 18.1.1, visionOS to 2.1.1.
2. Enable automatic software updates on all Apple devices to minimize the window between zero-day disclosure and patch delivery.
3. High-risk individuals (journalists, activists, government officials) should consider enabling Apple Lockdown Mode, which significantly restricts the JIT compiler attack surface at the cost of some web performance.
4. Organizations managing Apple fleets: enforce minimum OS version requirements via MDM and prioritize patching for executives and other high-value targets.