CVE-2024-44309

What is Apple WebKit?

WebKit is Apple's web rendering engine, used by Safari on all Apple platforms and mandated for all iOS and iPadOS web browsers. WebKit handles HTML rendering, CSS processing, JavaScript execution (via JavaScriptCore), and cookie/session management for web content displayed in Apple's browsers and embedded web views. Vulnerabilities in WebKit's cookie management can allow malicious web content to access or manipulate cookies belonging to other websites — a form of cross-site scripting (XSS) that enables session token theft, credential capture, and unauthorized cross-site actions.

Overview

CVE-2024-44309 is a zero-day cross-site scripting vulnerability in Apple WebKit's cookie management implementation, disclosed and patched simultaneously with CVE-2024-44308 (a critical JavaScriptCore type confusion RCE) on November 19, 2024. Both were discovered by Clément Lecigne and Benoît Sevens of Google's Threat Analysis Group (TAG), who confirmed active exploitation in targeted attacks. While CVE-2024-44308 provides code execution, CVE-2024-44309 enables data theft via XSS — together they form a paired threat that Apple addressed in emergency patches for iOS 18.1.1, macOS 15.1.1, Safari 18.1.1, and visionOS 2.1.1.

Affected Versions

Technical Details

CWE-79 (Cross-Site Scripting). The WebKit cookie management component contains a flaw that allows malicious web content to execute a cross-site scripting attack. A cookie management issue — specifically in how WebKit handles certain cookie-related operations when processing web content — allows JavaScript from one origin to interact with cookie data belonging to a different origin, violating the Same-Origin Policy. An attacker who controls a web page can exploit this to steal authentication cookies from other sites the victim has open, execute script in the context of another site, or capture session tokens that enable account takeover.

CVE-2024-44309 functions as the data exfiltration component of the two-vulnerability pair: CVE-2024-44308 provides code execution via JavaScriptCore type confusion, while CVE-2024-44309 enables cookie/session theft via XSS to extract valuable credentials from the victim's browser sessions. Together they constitute a complete web-based attack chain for targeted compromise.

Discovery

Discovered by Clément Lecigne and Benoît Sevens at Google TAG — the same researchers who have identified numerous WebKit zero-days used in commercial spyware and nation-state targeted attacks. The TAG attribution confirms these vulnerabilities were observed being exploited in the wild against specific, high-value targets rather than opportunistic campaigns. Apple's advisory notes exploitation "on Intel-based Mac systems," though the patches cover all supported platforms.

Exploitation Context

WebKit zero-days discovered by Google TAG are invariably part of sophisticated targeted surveillance operations — commercial spyware chains (Pegasus, Predator, Reign) or nation-state campaigns targeting journalists, activists, dissidents, and government officials. The XSS companion to a JavaScriptCore RCE suggests attackers used the code execution (CVE-2024-44308) to escalate access while using the XSS (CVE-2024-44309) to harvest credentials from victim browser sessions — a comprehensive initial compromise covering both code execution and session theft.

Remediation

1. Update immediately to iOS 18.1.1 or 17.7.2, iPadOS 18.1.1 or 17.7.2, macOS Sequoia 15.1.1, Safari 18.1.1, and visionOS 2.1.1.
2. Also ensure CVE-2024-44308 (JavaScriptCore RCE) is patched — both vulnerabilities are covered by the same update.
3. Enable Lockdown Mode for high-risk users to disable JIT compilation and reduce WebKit attack surface.
4. Keep all Apple devices on automatic updates to minimize exposure to WebKit zero-days.