Owners of Macs with an older macOS operating system surfed the web for around 24 hours with a known serious vulnerability that Apple says is actively being exploited.
Old systems will follow the next day
After the group initially only provided a patch for macOS 12 aka Monterey (plus iOS and iPadOS) on Wednesday evening, a fix for macOS 11 (Big Sur) and macOS 10.15 (Catalina) followed on Thursday evening. The fix comes in the form of an update to the Safari browser, which has now landed at version 15.6.1. The update appears to only fix a single vulnerability — the same one addressed in macOS 12.5.1 from the previous day.
However, a second problem in the kernel of macOS 12 (as well as iOS and iPadOS 15) was not fixed, with which malicious programs were able to run arbitrary code with kernel privileges. Whether this error simply does not exist in Big Sur and Catalina or whether Apple will be late with another patch around the corner in the next few days can only be speculated on – no information was given on this.
What the bug can do to Safari
The bug that has now been fixed with Safari 15.6.1 has the CVE ID 2022-32893 and is assigned to an “anonymous security researcher” as the discoverer. As in Monterey and iOS (as well as iPadOS 15), a manipulated website (or simply manipulated web content running in WebKit) can run arbitrary code. Apple does not explain the rights with which this is possible. If root privileges were involved, this would be devastating – an attacker could then do practically everything from recording keystrokes, reading out access data to grabbing photos or activating the camera and microphone.
The bug is an out-of-bounds write issue that is addressed with improved bounds checking. Apple emphasizes that they have a report that the problem is “actively exploited”. It is still unclear on which websites the exploit is distributed. An early update is therefore urgently needed. Updating is particularly easy on Catalina and Big Sur: Since only Safari is updated, the operating system does not have to be restarted, and the update only takes a few minutes.
