Inside of Apple’s latest update for Mac are fixes for a wide range of security flaws. macOS 12.2 patches 13 serious security bugs ranging from the Safari web browsing leak to a flaw that can give malicious apps access to root privileges, kernel privileges, iCloud data, and more.

We already knew about the web browsing and Google account ID flaw being patched ahead of time as it arrived with the RC versions of iOS 15.3 and macOS 12.2 However, Apple has now detailed the full list of security patches with documentation available for macOS 12.2.

Apple has also patched a number of security issues with macOS 11.6.3 and an update for macOS Catalina.

iOS 15.3 comes with 10 security fixes, and 8 for watchOS 8.4. macOS 12.2 comes with the most at 13 security fixes.

Beyond the Safari web browsing flaw, others security issues patched include apps gaining root privileges, the ability to execute arbitrary code with kernel privileges, accessing user files through an iCloud, and more.

Here are the 13 flaws fixed in macOS 12.2 per Apple:


AMD Kernel

Available for: macOS Monterey

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-22586: an anonymous researcher

ColorSync

Available for: macOS Monterey

Impact: Processing a maliciously crafted file may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved validation.

CVE-2022-22584: Mickey Jin (@patch1t) of Trend Micro

Crash Reporter

Available for: macOS Monterey

Impact: A malicious application may be able to gain root privileges

Description: A logic issue was addressed with improved validation.

CVE-2022-22578: an anonymous researcher

iCloud

Available for: macOS Monterey

Impact: An application may be able to access a user’s files

Description: An issue existed within the path validation logic for symlinks. This issue was addressed with improved path sanitization.

CVE-2022-22585: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab (https://xlab.tencent.com)

Intel Graphics Driver

Available for: macOS Monterey

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2022-22591: Antonio Zekic (@antoniozekic) of Diverto

IOMobileFrameBuffer

Available for: macOS Monterey

Impact: A malicious application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.

Description: A memory corruption issue was addressed with improved input validation.

CVE-2022-22587: an anonymous researcher, Meysam Firouzi (@R00tkitSMM) of MBition – Mercedes-Benz Innovation Lab, Siddharth Aeri (@b1n4r1b01)

Kernel

Available for: macOS Monterey

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: A buffer overflow issue was addressed with improved memory handling.

CVE-2022-22593: Peter Nguyễn Vũ Hoàng of STAR Labs

Model I/O

Available for: macOS Monterey

Impact: Processing a maliciously crafted STL file may lead to unexpected application termination or arbitrary code execution

Description: An information disclosure issue was addressed with improved state management.

CVE-2022-22579: Mickey Jin (@patch1t) of Trend Micro

PackageKit

Available for: macOS Monterey

Impact: An application may be able to access restricted files

Description: A permissions issue was addressed with improved validation.

CVE-2022-22583: an anonymous researcher, Mickey Jin (@patch1t), Ron Hass (@ronhass7) of Perception Point

WebKit

Available for: macOS Monterey

Impact: Processing a maliciously crafted mail message may lead to running arbitrary javascript

Description: A validation issue was addressed with improved input sanitization.

CVE-2022-22589: Heige of KnownSec 404 Team (knownsec.com) and Bo Qu of Palo Alto Networks (paloaltonetworks.com)

WebKit

Available for: macOS Monterey

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A use after free issue was addressed with improved memory management.

CVE-2022-22590: Toan Pham from Team Orca of Sea Security (security.sea.com)

WebKit

Available for: macOS Monterey

Impact: Processing maliciously crafted web content may prevent Content Security Policy from being enforced

Description: A logic issue was addressed with improved state management.

CVE-2022-22592: Prakash (@1lastBr3ath)

WebKit Storage

Available for: macOS Monterey

Impact: A website may be able to track sensitive user information

Description: A cross-origin issue in the IndexDB API was addressed with improved input validation.

CVE-2022-22594: Martin Bajanik of FingerprintJS

Additional recognition

Kernel

We would like to acknowledge Tao Huang for their assistance.

Metal

We would like to acknowledge Tao Huang for their assistance.

PackageKit

We would like to acknowledge Mickey Jin (@patch1t), Mickey Jin (@patch1t) of Trend Micro for their assistance.

WebKit

We would like to acknowledge Prakash (@1lastBr3ath) for their assistance.

FTC: We use income earning auto affiliate links. More.


Check out 9to5Mac on YouTube for more Apple news:

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

About the Author

Michael Potuck

Michael is an editor for 9to5Mac. Since joining in 2016 he has written more than 3,000 articles including breaking news, reviews, and detailed comparisons and tutorials.