Security News > 2022 > January > Apple fixes Safari data leak (and patches a zero-day!) – update now
![Apple fixes Safari data leak (and patches a zero-day!) – update now](/static/build/img/news/apple-fixes-safari-data-leak-and-patches-a-zero-day-update-now-medium.jpg)
Just under two weeks ago, we wrote about an Apple Safari bug that could allow rogue website operators to track you even if they gave every impression of not doing so, and even if you had strict privacy protection turned on.
That vulnerability, now known as CVE-2022-22594, showed up in Safari because of a bug in WebKit, the "Browser rendering engine", as these things are generally known, on which the Safari app is based.
Although Safari is the only mainstream WebKit-based browser on Apple's macOS, that's not the case on Apple's mobile devices.
Of course, the big-news Safari "Supercookie" bug isn't the only security hole patched in this batch of updates: numerous other yet-more-serious bugs were patched as well.
These security updates can be considered critical, given the number of remote code execution bugs that could, in theory at least, be used without your consent to install covert surveillance software, implant malware, steal data, secretly jailbreak your device, and more.
On iOS 15, iPadOS 15, Monterey 12 and BigSur 11, one of the RCE bugs that potentially gives kernel-level control - typically the worst sort of RCE bug you can get - is listed with Apple's typically understated warning that the company "Is aware of a report that this issue may have been actively exploited."
News URL
Related news
- Apple fixes Safari WebKit zero-day flaw exploited at Pwn2Own (source)
- UnitedHealth confirms it paid ransomware gang to stop data leak (source)
- Apple's 'incredibly private' Safari is not so private in Europe (source)
- Apple backports fix for RTKit iOS zero-day to older iPhones (source)
- Apple backports fix for zero-day exploited in attacks to older iPhones (source)
- Apple backports iOS zero-day patch, adds Bluetooth tracker alert (source)
- UK data watchdog wants six figures from N Ireland cops after 2023 data leak (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2022-03-18 | CVE-2022-22594 | Origin Validation Error vulnerability in Apple products A cross-origin issue in the IndexDB API was addressed with improved input validation. | 4.3 |