Tuesday04 October 2022

Apple Patches Safari WebKit Bug and a 0-Day

Reading time is around minutes.

Yesterday Apple released several patches for their different operating systems. One that we have talked about before is a core bug in Apple’s WebKit based Safari. This bug could potentially leak personal information regardless of the privacy settings you had enabled. In macOS you could always change to another browser that was not WebKit based. On iOS, iPadOS, watchOS and other app store locked devices there was no option as Apple requires every browser to use WebKit for its render engine.

The bug was out in the wild for about two weeks as of this writing, which is forever when it comes to security. Still a patch is a patch, and it is good to see this one getting closed. There are other critical severity patches out from Apple that include removing several Remote Code Execution (RCE) vulnerabilities found in across all of Apple’s operating systems.

These should be spooled up to be patched as soon as possible just because they contain fixes for RCEs and, well patching is important (Patch Often Patch Early). What makes these patches even more critical is that one has a note from Apple saying that Apple is “aware of a report that this issue may have been actively exploited.”. This is a calm way of saying you might already be owned because treat actors already have a way to exploit this in play.

We have said it before, and it bears repeating. Patching must be part of your security culture and requires buy in from everyone. Yes, it can be a pain in the ass. However, if you make this part of the daily routine, it is just another thing that you do at work. Like getting your morning caffeine or checking your email. The updates run, they finish, you move on with your day. In the meantime, you are taking away attack vectors and making your organization more complex to compromise.

Happy patching.

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.