Apple is rolling out important software updates this week, patching dozens of security and privacy flaws. Updating is a must, to address an important privacy flaw as well as a zero-day that bad actors may be actively exploiting in the wild.
iOS 15.3 and macOS Monterey 12.2 both ship the much-awaited fix for the cross-origin issue discovered by FingerprintJS in the IndexDB API used by Apple’s WebKit browser engine. If exploited, “a website may be able to track sensitive user information,” according to the release notes.
While Apple’s advisory is terse, Martin Bajanik of FingerprintJS offers plenty of details about the flaw in a Jan. 14 entry on his company’s blog.
Tracked as CVE-2022-22594, the bug affects every product that leverages WebKit, from iPhone and Mac to Apple TV and Apple Watch.
Mac users who can’t immediately perform a system update are offered a handy standalone Safari 15.3 package to quickly address this issue, as well as other WebKit-related flaws.
Another critical flaw shared by different products is CVE-2022-22587, credited to researchers Meysam Firouzi and Siddharth Aeri, as well as a third, anonymous, researcher.
“A malicious application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited,” according to the release notes.
Notably, this is the third zero-day vulnerability discovered in IOMobileFrameBuffer by white hat hackers since July 2021.
The flaw is addressed not only in iOS 15 and macOS 12 (Monterey), but also in macOS Big Sur with version 11.6.3.
Security Update 2022-001 Catalina addresses even more bugs inherent to that particular macOS version. Readers can review the bug fixes by accessing the individual advisories below:
Be sure to make these updates a priority and, as always, stay safe!