Apple has moved fast to patch its Safari browser against a serious security vulnerability that is affecting a number of its operating systems.
Safari 15.6.1 for macOS Big Sur and Catalina is available to download now, with anyone using those versions advised to upgrade immediately.
The fix for CVE-2022-32893 patches an out-of-bounds write flaw in WebKit, the engine of Safari that is also used by other apps with web access.
Out of bounds write flaw
Apple has confirmed the flaw is allegedly already being exploited in the wild, and when abused, the flaw allows threat actors to execute remote code on a vulnerable device, remotely.
“Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited,” Apple said in a security advisory.
An out-of-bounds write flaw happens when a threat actor forces an input program to write data before the beginning, or after the end, of the memory buffer. That crashes the program, corrupts the data, and allows threat actors to remotely execute code. The fix for Big Sur and Catalia is in the same vein as the one for Monterey – through improved bounds checking.
Given that the flaw is being exploited in the wild, Apple is staying tight-lipped on the issue until most endpoints are patched.
The company said it had been tipped off to the flaws by an anonymous user, adding that it had now improved its bounds by checking for both bugs.
Apple has had its hands full fixing zero-days this year. In January 2022, it fixed two such flaws, namely CVE-2022-22578, and CVE-2022-22594, which allowed arbitrary code execution with kernel privileges.
A month later, it fixed another zero-day, affecting iPhones, iPads, and Macs, and allowing threat actors to crash the OS and run remote code execution, and in March, Apple patched CVE-2022-22674, and CVE-2022-22675, two zero-days abused to execute code with Kernel privileges.
- These are the best firewall options around right now
Via: BleepingComputer