Security News > 2022 > January > Apple fixes Safari data leak (and patches a zero-day!) – update now

Just under two weeks ago, we wrote about an Apple Safari bug that could allow rogue website operators to track you even if they gave every impression of not doing so, and even if you had strict privacy protection turned on.

That vulnerability, now known as CVE-2022-22594, showed up in Safari because of a bug in WebKit, the "Browser rendering engine", as these things are generally known, on which the Safari app is based.

Although Safari is the only mainstream WebKit-based browser on Apple's macOS, that's not the case on Apple's mobile devices.

Of course, the big-news Safari "Supercookie" bug isn't the only security hole patched in this batch of updates: numerous other yet-more-serious bugs were patched as well.

These security updates can be considered critical, given the number of remote code execution bugs that could, in theory at least, be used without your consent to install covert surveillance software, implant malware, steal data, secretly jailbreak your device, and more.

On iOS 15, iPadOS 15, Monterey 12 and BigSur 11, one of the RCE bugs that potentially gives kernel-level control - typically the worst sort of RCE bug you can get - is listed with Apple's typically understated warning that the company "Is aware of a report that this issue may have been actively exploited."

News URL

https://nakedsecurity.sophos.com/2022/01/27/apple-patches-safari-data-leak-oh-and-a-zero-day-patch-now/