Along with its release of iOS and iPadOS 15.3, watchOS 8.4, and more, Apple today began rolling out macOS Monterey 12.2 to all customers. The most notable fix in the update resolves an issue that let Safari leak sensitive information between web pages.
WebKit Storage Bug Caused Safari Leak
In the release notes, Apple points out a cross-origin issue in the IndexDB API. Identified as CVE-2022-22594 and reported by Martin Bajanik of FingerprintJS, the bug allowed websites to track sensitive user information across different sites.
According to Apple, improved input validation resolved the issue. Testers at 9to5Mac confirmed the bug no longer affects Safari on macOS as of the Release Candidate distributed last week.
Apple also patched three other security issues in WebKit. These include issues allowing maliciously crafted emails and web content allowing arbitrary code execution as well as entering with Content Security Policies.
Other Resolved Issues in macOS Monterey 12.2
The number of bugs fixed by macOS Monterey 12.2 is a fairly extensive list, so installing the update as soon as possible would be a great idea. Do so by going to System Preferences > Software Update and clicking Update Now. If it doesn’t appear right away, you may have to refresh Software Update to make it show up.
Here’s the complete list of security fixes found in the latest update.
AMD Kernel
Impact: A malicious application may be able to execute arbitrary code with kernel privileges
CVE-2022-22586: an anonymous researcher
ColorSync
Impact: Processing a maliciously crafted file may lead to arbitrary code execution
CVE-2022-22584: Mickey Jin (@patch1t) of Trend Micro
Crash Reporter
Impact: A malicious application may be able to gain root privileges
CVE-2022-22578: an anonymous researcher
iCloud
Impact: An application may be able to access a user’s files
CVE-2022-22585: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab (https://xlab.tencent.com)
Intel Graphics Driver
Impact: A malicious application may be able to execute arbitrary code with kernel privileges
CVE-2022-22591: Antonio Zekic (@antoniozekic) of Diverto
IOMobileFrameBuffer
Impact: A malicious application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.
CVE-2022-22587: an anonymous researcher, Meysam Firouzi (@R00tkitSMM) of MBition – Mercedes-Benz Innovation Lab, Siddharth Aeri (@b1n4r1b01)
Kernel
Impact: A malicious application may be able to execute arbitrary code with kernel privileges
CVE-2022-22593: Peter Nguyễn Vũ Hoàng of STAR Labs
Model I/O
Impact: Processing a maliciously crafted STL file may lead to unexpected application termination or arbitrary code execution
CVE-2022-22579: Mickey Jin (@patch1t) of Trend Micro
PackageKit
Impact: An application may be able to access restricted files
CVE-2022-22583: an anonymous researcher, Mickey Jin (@patch1t), Ron Hass (@ronhass7) of Perception Point
WebKit
Impact: Processing a maliciously crafted mail message may lead to running arbitrary javascript
Description: A validation issue was addressed with improved input sanitization.
CVE-2022-22589: Heige of KnownSec 404 Team (knownsec.com) and Bo Qu of Palo Alto Networks (paloaltonetworks.com)
WebKit
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
CVE-2022-22590: Toan Pham from Team Orca of Sea Security (security.sea.com)
WebKit
Impact: Processing maliciously crafted web content may prevent Content Security Policy from being enforced
CVE-2022-22592: Prakash (@1lastBr3ath)
WebKit Storage
Impact: A website may be able to track sensitive user information
CVE-2022-22594: Martin Bajanik of FingerprintJS