CVE-2024-40798 – an app may be able to read Safari's browsing history
CVE-2024-40798 is a newly identified vulnerability in Safari that may expose browsing history. It has been fixed in several Apple software updates and awaits analysis without a CVSS severity score.
Read original article
CVE-2024-40798 is a newly identified vulnerability that is currently awaiting analysis. It has been reported that this issue involves inadequate redaction of sensitive information, which could potentially allow an application to access Safari's browsing history. The vulnerability has been addressed in several updates, including macOS Sonoma 14.6, iOS 16.7.9, iPadOS 16.7.9, macOS Monterey 12.7.6, and macOS Ventura 13.6.8. The National Vulnerability Database (NVD) has not yet provided a severity score for this vulnerability under the Common Vulnerability Scoring System (CVSS). The details were published on July 29, 2024, and the last modification was made on July 30, 2024. Apple Inc. is the source of this CVE entry, and they have provided several references for further information regarding the updates and fixes related to this vulnerability.
- CVE-2024-40798 involves a vulnerability in Safari that may expose browsing history.
- The issue has been fixed in multiple Apple software updates.
- The vulnerability is currently awaiting analysis and has no assigned CVSS severity score yet.
- Apple Inc. is the source of the CVE entry and has provided additional resources for users.
Related
A buffer overflow in the XNU kernel
CVE-2024-27815 is a buffer overflow bug in XNU kernel affecting macOS, iOS, and visionOS. Apple swiftly released xnu-10063.121.3 to fix the issue, impacting kernels with CONFIG_MBUF_MCACHE. The bug allows attackers to trigger a crash by copying data beyond allocated space.
The First Spatial Computing Hack
Ryan Pickren found a Safari bug letting websites flood a user's space with 3D objects. Apple fixed it (CVE-2024-27812) in June after Ryan's report. The bug exploited Apple AR Kit Quick Look, launching objects without consent.
3M iOS and macOS apps were exposed to potent supply-chain attacks
Vulnerabilities in CocoaPods server exposed 3 million apps to supply-chain attacks for a decade. Flaws allowed hackers to inject malicious code, compromising sensitive user data. Developers urged to prioritize security measures.
'Almost every Apple device' vulnerable to CocoaPods
Security researchers found vulnerabilities in CocoaPods, allowing malicious code insertion and remote code execution. Pod owners were at risk of a zero-click takeover. CocoaPods issued patches, emphasizing the need for secure software development practices.
OpenSSL bug exposed up to 255 bytes of server heap and existed since 2011
CVE-2024-5535 is a historical OpenSSL vulnerability allowing buffer overreads, affecting Python and Node.js versions up to 3.9 and 9, respectively. Users should review usage of `SSL_select_next_proto`.
6 commentsBut does macOS even attempt to sandbox applications like that? I assumed it's like Windows/Linux where traditionally applications have full access to a user's data and it only attempts to protect data of other users. On Windows/Linux attempts to introduce such isolation have seen little adoption so far. Has Apple been more successful on macOS?
> This issue is fixed in macOS Sonoma 14.6, iOS 16.7.9 and iPadOS 16.7.9, macOS Monterey 12.7.6, macOS Ventura 13.6.8.
Okay now you can panic. But at least if your devices are up to date, it's fixed now...
Related
A buffer overflow in the XNU kernel
CVE-2024-27815 is a buffer overflow bug in XNU kernel affecting macOS, iOS, and visionOS. Apple swiftly released xnu-10063.121.3 to fix the issue, impacting kernels with CONFIG_MBUF_MCACHE. The bug allows attackers to trigger a crash by copying data beyond allocated space.
The First Spatial Computing Hack
Ryan Pickren found a Safari bug letting websites flood a user's space with 3D objects. Apple fixed it (CVE-2024-27812) in June after Ryan's report. The bug exploited Apple AR Kit Quick Look, launching objects without consent.
3M iOS and macOS apps were exposed to potent supply-chain attacks
Vulnerabilities in CocoaPods server exposed 3 million apps to supply-chain attacks for a decade. Flaws allowed hackers to inject malicious code, compromising sensitive user data. Developers urged to prioritize security measures.
'Almost every Apple device' vulnerable to CocoaPods
Security researchers found vulnerabilities in CocoaPods, allowing malicious code insertion and remote code execution. Pod owners were at risk of a zero-click takeover. CocoaPods issued patches, emphasizing the need for secure software development practices.
OpenSSL bug exposed up to 255 bytes of server heap and existed since 2011
CVE-2024-5535 is a historical OpenSSL vulnerability allowing buffer overreads, affecting Python and Node.js versions up to 3.9 and 9, respectively. Users should review usage of `SSL_select_next_proto`.