Safari Flaw Can Expose iPhone Users in the EU to Tracking
Apple's implementation of installing marketplace apps from Safari is heavily flawed and can allow a malicious marketplace to track users across websites
Chrome Users Now Worth 30% Less Money Thanks to Google's Cookie Killing, Ad Firm Says
A week into phase one of Google’s cookie killing project in Chrome, early tests show how it could hit the web’s bottom line.
iLeakage
We present iLeakage, a transient execution side channel targeting the Safari web browser present on Macs, iPads and iPhones. iLeakage shows that the Spectre attack is still relevant and exploitable, even after nearly 6 years of effort to mitigate it since its discovery. We show how an attacker can induce Safari to render an arbitrary webpage, subsequently recovering sensitive information present within it using speculative execution. In particular, we demonstrate how Safari allows a malicious webpage to recover secrets from popular high-value targets, such as Gmail inbox content. Finally, we demonstrate the recovery of passwords, in case these are autofilled by credential managers.
Project Zero: An Autopsy on a Zombie In-the-Wild 0-day
Whenever there’s a new in-the-wild 0-day disclosed, I’m very interested in understanding the root cause of the bug. This allows us to then understand if it was fully fixed, look for variants, and brainstorm new mitigations. This blog is the story of a “zombie” Safari 0-day and how it came back from the dead to be disclosed as exploited in-the-wild in 2022. CVE-2022-22620 was initially fixed in 2013, reintroduced in 2016, and then disclosed as exploited in-the-wild in 2022. If you’re interested in the full root cause analysis for CVE-2022-22620, we’ve published it here.
Project Zero: An Autopsy on a Zombie In-the-Wild 0-day
Whenever there’s a new in-the-wild 0-day disclosed, I’m very interested in understanding the root cause of the bug. This allows us to then understand if it was fully fixed, look for variants, and brainstorm new mitigations. This blog is the story of a “zombie” Safari 0-day and how it came back from the dead to be disclosed as exploited in-the-wild in 2022. CVE-2022-22620 was initially fixed in 2013, reintroduced in 2016, and then disclosed as exploited in-the-wild in 2022. If you’re interested in the full root cause analysis for CVE-2022-22620, we’ve published it here.
Project Zero: An Autopsy on a Zombie In-the-Wild 0-day
Whenever there’s a new in-the-wild 0-day disclosed, I’m very interested in understanding the root cause of the bug. This allows us to then understand if it was fully fixed, look for variants, and brainstorm new mitigations. This blog is the story of a “zombie” Safari 0-day and how it came back from the dead to be disclosed as exploited in-the-wild in 2022. CVE-2022-22620 was initially fixed in 2013, reintroduced in 2016, and then disclosed as exploited in-the-wild in 2022. If you’re interested in the full root cause analysis for CVE-2022-22620, we’ve published it here.
Jamf Threat Labs identifies Safari vulnerability (CVE-2022-22616) allowing for Gatekeeper bypass
The identified vulnerability allows bypassing of Gatekeeper security and app notorization, has been patched by Apple.
Jamf Threat Labs identifies Safari vulnerability (CVE-2022-22616) allowing for Gatekeeper bypass
The identified vulnerability allows bypassing of Gatekeeper security and app notorization, has been patched by Apple.
Jamf Threat Labs identifies Safari vulnerability (CVE-2022-22616) allowing for Gatekeeper bypass
The identified vulnerability allows bypassing of Gatekeeper security and app notorization, has been patched by Apple.
Safari Flaws Exposed Webcams, Online Accounts, and More
Apple awarded a $100,500 bug bounty to the researcher who discovered the latest major vulnerability in its browser.
Safari Flaws Exposed Webcams, Online Accounts, and More
Apple awarded a $100,500 bug bounty to the researcher who discovered the latest major vulnerability in its browser.
Safari Flaws Exposed Webcams, Online Accounts, and More
Apple awarded a $100,500 bug bounty to the researcher who discovered the latest major vulnerability in its browser.
Webcam Hacking (again) - Safari UXSS
$100,500 Apple Bug Bounty for hacking the webcam via a Safari Universal Cross-Site Scripting (UXSS) bug. CVE-2021-30861, CVE-2021-30975
Webcam Hacking (again) - Safari UXSS
$100,500 Apple Bug Bounty for hacking the webcam via a Safari Universal Cross-Site Scripting (UXSS) bug. CVE-2021-30861, CVE-2021-30975
Webcam Hacking (again) - Safari UXSS
$100,500 Apple Bug Bounty for hacking the webcam via a Safari Universal Cross-Site Scripting (UXSS) bug. CVE-2021-30861, CVE-2021-30975
Mettez à jour iOS ! WebKit contient une vulnérabilité dangereuse
Apple a publié iOS 15.3.1 pour corriger la vulnérabilité CVE-2022-22620 de WebKit, qui serait activement exploitée par les cybercriminels. [version EN](https://www.kaspersky.com/blog/webkit-vulnerability-cve-2022-22620/43650/)
Mettez à jour iOS ! WebKit contient une vulnérabilité dangereuse
Apple a publié iOS 15.3.1 pour corriger la vulnérabilité CVE-2022-22620 de WebKit, qui serait activement exploitée par les cybercriminels. [version EN](https://www.kaspersky.com/blog/webkit-vulnerability-cve-2022-22620/43650/)
Mettez à jour iOS ! WebKit contient une vulnérabilité dangereuse
Apple a publié iOS 15.3.1 pour corriger la vulnérabilité CVE-2022-22620 de WebKit, qui serait activement exploitée par les cybercriminels. version EN
Nouvelle version de Safari 15.3 sur Big Sur et Catalina pour combler une faille importante | MacGeneration
"Sorti hier, macOS 12.2.1 règle un problème de sécurité dans WebKit, le moteur de Safari, qui aurait pu permettre à une personne malintentionnée d'exécuter du code arbitraire en faisant simplement visiter à l'utilisateur une page web malveillante (CVE-2022-22620). Si votre Mac n'est pas compatible avec macOS Monterey, une mise à jour individuelle de Safari est disponible."
Nouvelle version de Safari 15.3 sur Big Sur et Catalina pour combler une faille importante | MacGeneration
"Sorti hier, macOS 12.2.1 règle un problème de sécurité dans WebKit, le moteur de Safari, qui aurait pu permettre à une personne malintentionnée d'exécuter du code arbitraire en faisant simplement visiter à l'utilisateur une page web malveillante (CVE-2022-22620). Si votre Mac n'est pas compatible avec macOS Monterey, une mise à jour individuelle de Safari est disponible."
Nouvelle version de Safari 15.3 sur Big Sur et Catalina pour combler une faille importante | MacGeneration
"Sorti hier, macOS 12.2.1 règle un problème de sécurité dans WebKit, le moteur de Safari, qui aurait pu permettre à une personne malintentionnée d'exécuter du code arbitraire en faisant simplement visiter à l'utilisateur une page web malveillante (CVE-2022-22620). Si votre Mac n'est pas compatible avec macOS Monterey, une mise à jour individuelle de Safari est disponible."
Apple Releases iOS, iPadOS, macOS Updates to Patch Actively Exploited Zero-Day Flaw
"Apple on Thursday released security updates for iOS, iPadOS, macOS, and Safari to address a new WebKit flaw that it said may have been actively exploited in the wild, making it the company's third zero-day patch since the start of the year."
Apple Releases iOS, iPadOS, macOS Updates to Patch Actively Exploited Zero-Day Flaw
"Apple on Thursday released security updates for iOS, iPadOS, macOS, and Safari to address a new WebKit flaw that it said may have been actively exploited in the wild, making it the company's third zero-day patch since the start of the year."
Apple Releases iOS, iPadOS, macOS Updates to Patch Actively Exploited Zero-Day Flaw
"Apple on Thursday released security updates for iOS, iPadOS, macOS, and Safari to address a new WebKit flaw that it said may have been actively exploited in the wild, making it the company's third zero-day patch since the start of the year."