CVE-2024-44296
📋 TL;DR
This vulnerability allows malicious web content to bypass Content Security Policy (CSP) enforcement in Apple's WebKit browser engine. It affects users of Apple devices and software that use WebKit for web content rendering. Successful exploitation could allow attackers to execute scripts that would normally be blocked by CSP.
💻 Affected Systems
- tvOS
- iOS
- iPadOS
- watchOS
- visionOS
- macOS Sequoia
- Safari
📦 What is this software?
Ipados by Apple
Ipados by Apple
Macos by Apple
macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...
Learn more about Macos →Safari by Apple
Tvos by Apple
Watchos by Apple
⚠️ Risk & Real-World Impact
Worst Case
Attackers could bypass CSP protections to execute malicious JavaScript, potentially leading to cross-site scripting (XSS) attacks, session hijacking, or data theft from web applications that rely on CSP for security.
Likely Case
Malicious websites could bypass CSP restrictions to load unauthorized scripts or resources, potentially enabling clickjacking, ad injection, or limited XSS attacks against vulnerable web applications.
If Mitigated
With proper CSP configurations and defense-in-depth measures, the impact is limited to specific web applications that rely solely on CSP for script execution prevention.
🎯 Exploit Status
Exploitation requires delivering malicious web content to vulnerable devices, typically through phishing or compromised websites. No public exploit code is currently known.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: tvOS 18.1, iOS 18.1 and iPadOS 18.1, iOS 17.7.1 and iPadOS 17.7.1, watchOS 11.1, visionOS 2.1, macOS Sequoia 15.1, Safari 18.1
Vendor Advisory: https://support.apple.com/en-us/121563
Restart Required: Yes
Instructions:
1. Open Settings app. 2. Navigate to General > Software Update. 3. Download and install the latest available update for your device. 4. Restart device when prompted.
🔧 Temporary Workarounds
Disable JavaScript (temporary)
allTemporarily disable JavaScript in Safari settings to prevent script execution while waiting for patch
Use alternative browser
allUse browsers not based on WebKit (Chrome, Firefox) until devices are patched
🧯 If You Can't Patch
- Implement additional web application security controls beyond CSP (WAF, input validation)
- Restrict access to untrusted websites and implement network filtering
🔍 How to Verify
Check if Vulnerable:
Check device version in Settings > General > About > Software VersionCheck Version:
Settings > General > About > Software Version (iOS/iPadOS/tvOS/watchOS/visionOS) or About This Mac > Software Update (macOS)Verify Fix Applied:
Verify installed version matches or exceeds patched versions listed in affected_systems📡 Detection & Monitoring
Log Indicators:
- Unexpected CSP violation reports in web server logs
- Increased script execution from unexpected sources
Network Indicators:
- Unusual outbound connections from Apple devices to suspicious domains
- Traffic patterns suggesting bypassed CSP policies
SIEM Query:
source="web_server" AND (csp_violation OR content_security_policy) AND severity=high🔗 References
- https://support.apple.com/en-us/121563
- https://support.apple.com/en-us/121564
- https://support.apple.com/en-us/121565
- https://support.apple.com/en-us/121566
- https://support.apple.com/en-us/121567
- https://support.apple.com/en-us/121569
- https://support.apple.com/en-us/121571
- http://seclists.org/fulldisclosure/2024/Oct/11
- http://seclists.org/fulldisclosure/2024/Oct/16
- http://seclists.org/fulldisclosure/2024/Oct/19
- http://seclists.org/fulldisclosure/2024/Oct/9
- https://lists.debian.org/debian-lts-announce/2024/11/msg00019.html
