![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2023\/02\/Apple-software-update-red-critical-urgent-600x300-1.png\")
<\/p>\n<\/p>\n
On Monday, Apple released security updates for its operating systems, primarily to address an “actively exploited” (i.e. zero-day, in-the-wild) vulnerability. These updates included macOS Ventura 13.2.1, iOS and iPadOS 16.3.1, and more.<\/p>\n
In this article, we’ll examine what we know about the vulnerabilities that Apple mitigated, and why it’s important to update quickly.<\/p>\n
Update:<\/strong> Apple released macOS Big Sur 11.7.4 on Wednesday, noting that “This update has no published CVE entries.” A new section with additional details has been added below.<\/p>\n In this article:<\/p>\n First let’s take a look at the zero-day vulnerability that Apple addressed for multiple operating systems. Apple says of the update:<\/p>\n WebKit The vulnerability was mitigated in macOS Ventura 13.2.1, iOS 16.3.1, iPadOS 16.3.1, and Safari 16.3.1 for macOS Monterey and macOS Big Sur.<\/p>\n Notably, Apple has not yet released a corresponding patch for iOS 15 or iPadOS 15. This is significant, because many people still use iPhones and iPads that cannot be upgraded to iOS 16 or iPadOS 16. Additionally, the iPod touch (7th generation), which had just barely been discontinued in May 2022 before iOS 16 was announced in June, cannot be upgraded to iOS 16<\/a>, either.<\/p>\n Although Apple also patched vulnerabilities in tvOS 16 and watchOS 9 this week, Apple has yet to release the details about what was patched in those updates, so it is not yet clear whether those operating systems were affected or received patches for this WebKit vulnerability.<\/p>\n Little information is publicly available about the vulnerability. The WebKit Bugzilla issue<\/a> only allows “authorized” users to access it and see the details. So far, MITRE<\/a> and NIST<\/a> have not published any details about the CVE. Given that the vulnerability was reported anonymously, and that Apple acknowledged The Citizen Lab in its iOS update details, there is some speculation within the security community that this vulnerability may have been used by Pegasus<\/a> or other commercial spyware often used by governments and law enforcement agencies. However, this possible connection has not been confirmed.<\/p>\n Intego has reached out to Apple to inquire whether the vulnerability impacts tvOS, watchOS, or previous versions of iOS and iPadOS. Based on Apple’s track record, we do not anticipate that Apple will respond to our (or any journalist’s) inquiries about this matter.<\/p>\n Before this week, the most recent “actively exploited” vulnerability that Apple patched was a similar-sounding WebKit issue, also related to the processing of “maliciously crafted web content.” Apple patched that vulnerability<\/a>, CVE-2022-42856, on December 13, 2022 for macOS Ventura, Monterey, and Big Sur, for iOS and iPadOS 16 and 15, and for tvOS 16. Notably, the patch was not among those listed in watchOS 9.2’s security release notes; Apple never confirmed to Intego whether the vulnerability impacted watchOS. Apple later patched the same vulnerability for iOS 12<\/a> on January 23, 2023.<\/a><\/p>\n Available for:<\/strong> Security updates:<\/strong> Kernel <\/p>\n Shortcuts Users of macOS Ventura can get this update by going to System Settings<\/strong> > General<\/strong> > Software Update<\/strong>.<\/p>\n If your Mac is running macOS Mojave, Catalina, Big Sur, or Monterey, and your Mac is compatible with macOS Ventura, you can upgrade to macOS Ventura by going to System Preferences<\/strong> > Software Update<\/strong>. If your Mac is running macOS High Sierra or older and is compatible with macOS Ventura, look for macOS Ventura in the App Store and download it from there.<\/a><\/p>\n Apple has not yet released any security updates specifically for macOS Monterey this week, other than a separate Safari update (detailed below) that addresses the aforementioned WebKit vulnerability.<\/p>\n As a reminder, Apple is no longer patching every security vulnerability that affects macOS Monterey. Apple’s policy is that “not all known security issues are addressed in previous versions<\/a>.” We advise users to upgrade to macOS Ventura if your Mac supports it\u2014or even on an unsupported Mac<\/a>, at your own risk.<\/a><\/p>\n Available for:<\/strong> Improvements and bug fixes: macOS Big Sur 11.7.4 (20G1120) update is live \ud83d\udc47 pic.twitter.com\/L7gtcH2tM8<\/a><\/p>\n — Mr. Macintosh (@ClassicII_MrMac) February 15, 2023<\/a><\/p><\/blockquote>\n\n
Apple addresses zero-day vulnerability<\/h3>\n
\n<\/strong>Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
\nDescription: A type confusion issue was addressed with improved checks.
\nWebKit Bugzilla: 251944
\nCVE-2023-23529: an anonymous researcher<\/p><\/blockquote>\nmacOS Ventura 13.2.1<\/h3>\n
\nAll supported Macs currently running macOS Ventura<\/p>\n
\nAt least three vulnerabilities were addressed in this update. Apple’s page with macOS Ventura 13.2.1’s security details<\/a> currently mentions the WebKit vulnerability detailed above, and two others:<\/p>\n
\n<\/strong>Impact: An app may be able to execute arbitrary code with kernel privileges
\nDescription: A use after free issue was addressed with improved memory management.
\nCVE-2023-23514: Xinru Chi of Pangu Lab, Ned Williamson of Google Project Zero<\/p>\n
\n<\/strong>Impact: An app may be able to observe unprotected user data
\nDescription: A privacy issue was addressed with improved handling of temporary files.
\nCVE-2023-23522: Wenchao Li and Xiaolong Bai of Alibaba Group<\/p><\/blockquote>\nmacOS Monterey \u2014 no security updates yet<\/h3>\n
macOS Big Sur 11.7.4<\/h3>\n
\nAll Macs currently running macOS Big Sur<\/p>\n
\n<\/strong>According to MacRumors<\/a>, the Big Sur update “addresses an ongoing issue with Safari [Favorites] icons.” Apple had not yet published details about the update on its What’s new in the updates for macOS Big Sur<\/a> support page at the time we last updated this article. However, the Safari icon issue is not mentioned in the Apple Software Update description of the patch.<\/p>\n\n