Update to macOS Monterey Fixes Safari Leak

Update to macOS Monterey Fixes Safari Leak

Along with its release of iOS and iPadOS 15.3, watchOS 8.4, and more, Apple today began rolling out macOS Monterey 12.2 to all customers. The most notable fix in the update resolves an issue that let Safari leak sensitive information between web pages.

WebKit Storage Bug Caused Safari Leak

In the release notes, Apple points out a cross-origin issue in the IndexDB API. Identified as CVE-2022-22594 and reported by Martin Bajanik of FingerprintJS, the bug allowed websites to track sensitive user information across different sites.

According to Apple, improved input validation resolved the issue. Testers at 9to5Mac confirmed the bug no longer affects Safari on macOS as of the Release Candidate distributed last week.

Apple also patched three other security issues in WebKit. These include issues allowing maliciously crafted emails and web content allowing arbitrary code execution as well as entering with Content Security Policies.

Other Resolved Issues in macOS Monterey 12.2

The number of bugs fixed by macOS Monterey 12.2 is a fairly extensive list, so installing the update as soon as possible would be a great idea. Do so by going to System Preferences > Software Update and clicking Update Now. If it doesn’t appear right away, you may have to refresh Software Update to make it show up.

Update to macOS Monterey Fixes Safari Leak

Here’s the complete list of security fixes found in the latest update.

AMD Kernel

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

CVE-2022-22586: an anonymous researcher

ColorSync

Impact: Processing a maliciously crafted file may lead to arbitrary code execution

CVE-2022-22584: Mickey Jin (@patch1t) of Trend Micro

Crash Reporter

Impact: A malicious application may be able to gain root privileges

CVE-2022-22578: an anonymous researcher

iCloud

Impact: An application may be able to access a user’s files

CVE-2022-22585: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab (https://xlab.tencent.com)

Intel Graphics Driver

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

CVE-2022-22591: Antonio Zekic (@antoniozekic) of Diverto

IOMobileFrameBuffer

Impact: A malicious application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.

CVE-2022-22587: an anonymous researcher, Meysam Firouzi (@R00tkitSMM) of MBition – Mercedes-Benz Innovation Lab, Siddharth Aeri (@b1n4r1b01)

Kernel

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

CVE-2022-22593: Peter Nguyễn Vũ Hoàng of STAR Labs

Model I/O

Impact: Processing a maliciously crafted STL file may lead to unexpected application termination or arbitrary code execution

CVE-2022-22579: Mickey Jin (@patch1t) of Trend Micro

PackageKit

Impact: An application may be able to access restricted files

CVE-2022-22583: an anonymous researcher, Mickey Jin (@patch1t), Ron Hass (@ronhass7) of Perception Point

WebKit

Impact: Processing a maliciously crafted mail message may lead to running arbitrary javascript

Description: A validation issue was addressed with improved input sanitization.

CVE-2022-22589: Heige of KnownSec 404 Team (knownsec.com) and Bo Qu of Palo Alto Networks (paloaltonetworks.com)

WebKit

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

CVE-2022-22590: Toan Pham from Team Orca of Sea Security (security.sea.com)

WebKit

Impact: Processing maliciously crafted web content may prevent Content Security Policy from being enforced

CVE-2022-22592: Prakash (@1lastBr3ath)

WebKit Storage

Impact: A website may be able to track sensitive user information

CVE-2022-22594: Martin Bajanik of FingerprintJS

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.