Headline
Apple Security Advisory 2022-10-27-14
Apple Security Advisory 2022-10-27-14 - Safari 16 addresses buffer overflow, code execution, out of bounds read, and spoofing vulnerabilities.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-2022-10-27-14 Additional information for APPLE-SA-2022-09-12-5 Safari 16
Safari 16 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/HT213442.
Safari Extensions
Available for: macOS Big Sur and macOS Monterey
Impact: A website may be able to track users through Safari web
extensions
Description: A logic issue was addressed with improved state
management.
WebKit Bugzilla: 242278
CVE-2022-32868: Michael
WebKit
Available for: macOS Big Sur and macOS Monterey
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A buffer overflow issue was addressed with improved
memory handling.
WebKit Bugzilla: 241969
CVE-2022-32886: P1umer, afang5472, xmzyshypnc
WebKit
Available for: macOS Big Sur and macOS Monterey
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: An out-of-bounds read was addressed with improved bounds
checking.
WebKit Bugzilla: 242762
CVE-2022-32912: Jeonghoon Shin (@singi21a) at Theori working with
Trend Micro Zero Day Initiative
WebKit
Available for: macOS Big Sur and macOS Monterey
Impact: Visiting a website that frames malicious content may lead to
UI spoofing
Description: The issue was addressed with improved UI handling.
WebKit Bugzilla: 243236
CVE-2022-32891: @real_as3617 and an anonymous researcher
Entry updated October 27, 2022
WebKit Sandboxing
Available for: macOS Big Sur and macOS Monterey
Impact: A sandboxed process may be able to circumvent sandbox
restrictions
Description: An access issue was addressed with improvements to the
sandbox.
WebKit Bugzilla: 243181
CVE-2022-32892: @18楼梦想改造家 and @jq0904 of DBAppSecurity’s WeBin lab
Entry added October 27, 2022
Safari 16 may be obtained from the Mac App Store.
All information is also posted on the Apple Security Updates
web site: https://support.apple.com/en-us/HT201222.
This message is signed with Apple’s Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmNbKowACgkQ4RjMIDke
NxlCEg/+KnbktSos4M/gMt7rkcCymB4Ul4mMw0XW6eJVBL34H3XiOM9i8OoRGbg2
F3Ft4mxRWFlzA9SgNVuvMBVHREkOdeOJ37PDtfZp9bITGAtOww8K8Ng56VxhpPem
gs5q+veUTu95cVXDfGebwQNYtXc76+Zg/+Ju9VmhFJg0XXrjC2mzAEC8Mz2yy91b
9otf+UeDmdBUF3eLrygVAwtXE0/swZVaRMeDu2EYFuJWl/afN+ICOrHYLxtLa9dB
1uvw+RbOhwFRdKB010tcUUhf+M06Tp6pHPvtWHdS+Xy3RxA1d4rMzdon4TmsdEdr
dBpOiu0EOFLMXekVosIkkvKLXAWwH5C1Ogap7IchXnc8c+rEm6Hl1QuoH4QL0krD
P+sGYV4457e+VASkaUDEr6yxXJj+8MILm4x+7akD767qhoKvzpIfrFKY2gMnWkvK
JNUMzPXCYLkht39KWGEJk/b/HMvlwniBmXKGDVaTG/oNcMVFyRvx81qxrNlELxcw
lYSfP5tICA0CBWyVXYvUy1JRe15QrelLmCwpcAvAz1Edqu90sAAsPybvrPJHcZxD
2O+parML2rVJ6zOVBg1cOddohgnJEbT3PzDW48HRV8Ub5I8WzvIKqnS+R7VWkh66
Av8d8ElI37WY2sfIsFwXvhsIYFLZL86nel5HVEflmog2K0g/Kd0=
=lLIK
-----END PGP SIGNATURE-----
Related news
Gentoo Linux Security Advisory 202305-32 - Multiple vulnerabilities have been found in WebkitGTK+, the worst of which could result in arbitrary code execution. Versions greater than or equal to 2.40.1 are affected.
An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-32886: A vulnerability was found in webkitgtkm, where a buffer overflow issue was addressed with improved memory handling. Processing maliciously crafted web content may lead to arbitrary code execution. * CVE-2022-32888: A vulnerability was found in webkitgtk, where an out-of-bounds read was addressed with improved bounds checking. Processing mali...
An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-32886: A vulnerability was found in webkitgtkm, where a buffer overflow issue was addressed with improved memory handling. Processing maliciously crafted web content may lead to arbitrary code execution. * CVE-2022-32888: A vulnerability was found in webkitgtk, where an out-of-bounds read was addressed with improved bounds checking. Processing mali...
A logic issue was addressed with improved state management. This issue is fixed in iOS 16. Deleted contacts may still appear in spotlight search results.
A use after free issue was addressed with improved memory management. This issue is fixed in tvOS 16, iOS 16, watchOS 9. An app may be able to execute arbitrary code with kernel privileges.
This issue was addressed with improved entitlements. This issue is fixed in iOS 16, watchOS 9. An app may be able to read a persistent device identifier.
A memory corruption issue existed in the processing of ICC profiles. This issue was addressed with improved input validation. This issue is fixed in macOS Ventura 13. Processing a maliciously crafted image may lead to arbitrary code execution.
Apple Security Advisory 2022-10-27-13 - watchOS 9 addresses buffer overflow, bypass, code execution, out of bounds read, out of bounds write, spoofing, and use-after-free vulnerabilities.
Apple Security Advisory 2022-10-27-11 - tvOS 16 addresses buffer overflow, code execution, out of bounds read, out of bounds write, spoofing, and use-after-free vulnerabilities.
Ubuntu Security Notice 5642-1 - Several security issues were discovered in the WebKitGTK Web and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code execution.
A logic issue was addressed with improved restrictions. This issue is fixed in iOS 16, iOS 15.7 and iPadOS 15.7. A person with physical access to an iOS device may be able to access photos from the lock screen.
A logic issue was addressed with improved restrictions. This issue is fixed in iOS 16, iOS 15.7 and iPadOS 15.7. A person with physical access to an iOS device may be able to access photos from the lock screen.
An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in Safari 16, iOS 16, iOS 15.7 and iPadOS 15.7. Processing maliciously crafted web content may lead to arbitrary code execution.
A logic issue was addressed with improved restrictions. This issue is fixed in iOS 16, iOS 15.7 and iPadOS 15.7. A person with physical access to an iOS device may be able to access photos from the lock screen.
An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in Safari 16, iOS 16, iOS 15.7 and iPadOS 15.7. Processing maliciously crafted web content may lead to arbitrary code execution.
An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in Safari 16, iOS 16, iOS 15.7 and iPadOS 15.7. Processing maliciously crafted web content may lead to arbitrary code execution.
An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in Safari 16, iOS 16, iOS 15.7 and iPadOS 15.7. Processing maliciously crafted web content may lead to arbitrary code execution.
Apple Security Advisory 2022-09-12-5 - Safari 16 addresses buffer overflow, code execution, out of bounds read, and spoofing vulnerabilities.
Apple Security Advisory 2022-09-12-5 - Safari 16 addresses buffer overflow, code execution, out of bounds read, and spoofing vulnerabilities.
Apple Security Advisory 2022-09-12-5 - Safari 16 addresses buffer overflow, code execution, out of bounds read, and spoofing vulnerabilities.
Apple Security Advisory 2022-09-12-5 - Safari 16 addresses buffer overflow, code execution, out of bounds read, and spoofing vulnerabilities.
Categories: Exploits and vulnerabilities Categories: News Tags: macOS Tags: iOS Tags: CVE-2022-32894 Tags: CVE-2022-32893 Tags: kernel privileges Tags: WebKit Tags: actively exploited Tags: watering hole Tags: exploit kit Apple has released emergency security updates to fix two zero-day vulnerabilities previously exploited by attackers to hack iPhones, iPads, or Macs. (Read more...) The post Urgent update for macOS and iOS! Two actively exploited zero-days fixed appeared first on Malwarebytes Labs.