Apple Safari JavaScriptCore RCE Vulnerability Actively Exploited 

CVE-2024-44308, a critical Safari vulnerability, has been actively exploited, impacting iOS, visionOS, and macOS.

Affected Software and Versions

The CVE-2024-44308 vulnerability impacts several Apple platforms, as summarized below:

Apple has resolved this vulnerability in its latest updates, including iOS 17.7.2 and 18.1.1, visionOS 2.1.1, and macOS Sequoia 15.1.1. Users are strongly advised to install these updates immediately to protect their devices from potential exploitation.

The vulnerability, reported by Clément Lecigne and Benoît Sevens of Google’s Threat Analysis Group and analyzed by Dohyun Lee of USELab, Korea University, arises from register corruption in JavaScriptCore during Speculative JIT compiling, affecting integer arrays in DFGSpeculativeJIT.cpp.

The error happens when the scratch2GPR register is allocated after calling the getIntTypedArrayStoreOperand() function, leading to unnecessary register use if a slow path is taken.

This misstep causes an inconsistent register state, creating security risks.

The patch fixes the issue by reordering operations to manage the scratch2GPR register correctly, ensuring register state integrity even on slow paths.

The vulnerability arises from the following code flow:

1. Call getIntTypedArrayStoreOperand(): Handles store operations for typed arrays.
2. Add Slow Path: A slow path is introduced, requiring proper register management.
3. Incorrect Allocation: The scratch2GPR register is wrongly allocated after the slow path, causing state inconsistencies if the path isn’t used.

Proof-of-Concept (PoC)
The PoC code, though incomplete, shows how to trigger the vulnerability. It uses JavaScript objects and arrays to access vulnerable functions, providing a foundation for further exploit development.

Users should update their devices immediately to mitigate this vulnerability.

This highlights the need for timely updates and Apple’s commitment to addressing security threats promptly.