Apple Releases Safari with security fixes for macOS

Apple Releases Safari 15.6.1 with security fixes for macOS

Apple Releases Safari 15.6.1 with security fixes for macOS

Apple has updated Safari 15.6.1 for macOS Big Sur and Catalina to fix a zero-day vulnerability exploited in the wild to hack Macs.

The zero-day patched today (CVE-2022-32893) is an out-of-bounds write issue in WebKit which allows a threat actor to execute code remotely on a vulnerable device.

“Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited,” warns Apple in a security bulletin released today.

An out-of-bounds write vulnerability is when an attacker can allow input to a program that causes it to write data past the end or before the beginning of a memory buffer.

This causes the program to crash, corrupt data, or in the worst-case scenario, remote code execution and Apple says they fixed the bug through improved bounds checking.

Safari 15.6.1 Released August 18, 2022

WebKit

  • Available for: macOS Big Sur and macOS Catalina
  • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
  • Description: An out-of-bounds write issue was addressed with improved bounds checking.
  • WebKit Bugzilla: 243557 CVE-2022-32893: an anonymous researcher

Apple also says the vulnerability was disclosed by a researcher who wishes to remain anonymous. This zero-day vulnerability is patched by Apple yesterday for macOS Monterey and iPhone/iPads.

Apple has not provided more details on how the vulnerability is being used in attacks other than saying that it “may have been actively exploited.”

This is the seventh zero-day issue fixed by Apple in 2022, with the previous bugs outlined below:

  • In March, Apple patched two more zero-day bugs which were used in the Intel Graphics Driver (CVE-2022-22674) and AppleAVD (CVE-2022-22675).
  • In January, Apple patched two more actively exploited zero-days which allowed attackers to execute code with kernel privileges (CVE-2022-22587) and track web browsing activity (CVE-2022-22594).
  • In February, Apple released security updates to fix a new zero-day bug affecte to hack iPhones, iPads, and Macs.

Leave a Reply