Apple releases Safari 15.6.1 to fix zero-day bug used in attacks

Apple has released Safari 15.6.1 for macOS Big Sur and Catalina to fix a zero-day vulnerability exploited in the wild to hack Macs.

The zero-day patched today (CVE-2022-32893) is an out-of-bounds write issue in WebKit that could allow a threat actor to execute code remotely on a vulnerable device.

"Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited," warns Apple in a security bulletin released today.

An out-of-bounds write vulnerability is when an attacker can supply input to a program that causes it to write data past the end or before the beginning of a memory buffer.

This causes the program to crash, corrupt data, or in the worst-case scenario, remote code execution. Apple says they fixed the bug through improved bounds checking.

Apple says the vulnerability was disclosed by a researcher who wishes to remain anonymous.

This zero-day vulnerability is the same one that was patched by Apple yesterday for macOS Monterey and iPhone/iPads.

Apple has not provided details on how the vulnerability is being used in attacks other than saying that it "may have been actively exploited."

This is the seventh zero-day vulnerability fixed by Apple in 2022, with the previous bugs outlined below:

• In March, Apple patched two more zero-day bugs that were used in the Intel Graphics Driver (CVE-2022-22674) and AppleAVD (CVE-2022-22675).
• In January, Apple patched two more actively exploited zero-days that allowed attackers to execute code with kernel privileges (CVE-2022-22587) and track web browsing activity (CVE-2022-22594).
• In February, Apple released security updates to fix a new zero-day bug exploited to hack iPhones, iPads, and Macs.

Apple releases Safari 15.6.1 to fix zero-day bug used in attacks