Security News > 2022 > July > Apple patches “0-day” browser bug fixed 2 weeks ago in Chrome, Edge

Apple patches “0-day” browser bug fixed 2 weeks ago in Chrome, Edge
2022-07-21 20:38

Apple has disgorged its latest patches, fixing more than 50 CVE-numbered security vulnerabilities in its range of supported products.

As usual with Apple, the Safari browser patches are bundled into the updates for the latest macOS, as well as into the updates for iOS and iPad OS. But the updates for the older versions of macOS don't include Safari, so the standalone Safari update therefore applies to users of previous macOS versions, who will need to download and install two updates, not just one.

That's because one of the browser-related patches in this round of updates deals with a vulnerability in WebRTC known as CVE-2022-2294.

Whether that's because the bug isn't as easy to exploit in Safari, or simply because no one has traced back any Safari-specific misbehaviour to this particular flaw, we can't tell you, but we're treating it as an "Honorary zero-day" vulnerability, and patching zealously as a result.

As usual, the numerous bugs patched by Apple in these updates include vulnerabilities that could, in theory, be chained together by determined attackers.

Apple, to its credit, makes patching everything the default: you don't get to choose which patches to deploy and which to leave "For later".


News URL

https://nakedsecurity.sophos.com/2022/07/21/apple-patches-0-day-browser-bug-fixed-2-weeks-ago-in-chrome-edge/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2022-07-28 CVE-2022-2294 Out-of-bounds Write vulnerability in multiple products
Heap buffer overflow in WebRTC in Google Chrome prior to 103.0.5060.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
8.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Apple 72 238 1567 2279 265 4349