![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2023\/02\/Apple-software-update-red-critical-urgent-600x300-1.png\")
<\/p>\n<\/p>\n
On Friday, April 7, Apple released emergency security updates for macOS Ventura, iOS 16 and iPadOS 16, and Safari to address two “actively exploited” (zero-day, in the wild) vulnerabilities.<\/p>\n
On Monday, April 10, Apple released additional patches for macOS Monterey, macOS Big Sur, iOS 15 and iPadOS 15 to address the same vulnerabilities.<\/p>\n
Let’s examine what we know about the two vulnerabilities that Apple mitigated.<\/p>\n
In this article:<\/em><\/p>\n Two highly critical vulnerabilities were addressed in this update:<\/p>\n IOSurfaceAccelerator<\/strong><\/p>\n Impact: An app may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.<\/p>\n Description: An out-of-bounds write issue was addressed with improved input validation.<\/p>\n CVE-2023-28206: Cl\u00e9ment Lecigne of Google’s Threat Analysis Group and Donncha \u00d3 Cearbhaill of Amnesty International\u2019s Security Lab<\/p>\n <\/p>\n WebKit<\/strong><\/p>\n Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.<\/p>\n Description: A use after free issue was addressed with improved memory management.<\/p>\n WebKit Bugzilla: 254797 WebKit is the page-rendering engine used by Safari and other components of Apple operating systems. Third-party apps also use WebKit to render HTML content.<\/p>\n There aren’t yet any additional details about the vulnerabilities on the MITRE or NIST databases, and there are no clear connections yet on the\u00a0Google TAG<\/span>\u00a0<\/span>or<\/span>\u00a0<\/span>Amnesty International blogs, but more details might be forthcoming:<\/span><\/p>\n Apple links to the details of the security patches included in\u00a0macOS Ventura 13.3.1<\/a>\u00a0and\u00a0iOS 16.4.1 and iPadOS 16.4.1<\/a>\u00a0on the\u00a0Apple security updates page<\/a>\u00a0on its site.<\/p>\n As of early Friday there was no word yet on whether Ventura 13.3.1 had also fixed the <\/span>bug that Apple reportedly introduced in 13.3<\/a> that affects users whose Home folder is stored on an external drive. Users with this uncommon configuration have reported receiving the message, “You are unable to log into the user account ‘[username]’ at this time. Logging into the account failed because an error occurred.” If you don’t have your Home directory on an external storage device, then you don’t need to worry about this bug; it’s important to install the latest macOS Ventura update to address the aforementioned critical security vulnerabilities.\u00a0UPDATE:<\/strong> Macworld later reported that this issue was indeed fixed<\/a> in macOS Ventura 13.3.1.<\/span><\/p>\n Early on Monday, April 10, security researcher Linus Henze\u00a0released<\/a>\u00a0proof-of-concept code demonstrating how to exploit CVE-2023-28206. In part, this means that threat actors that had not already been aware of the vulnerability before Apple patched it, and had not yet reverse-engineered Apple’s Friday patches, can now more easily exploit the vulnerability on unpatched systems. Therefore, it’s even more urgent to install the updates, as there is an increased risk of more widespread exploitation in the wild.<\/a><\/p>\n <\/p>\n Macs running macOS Ventura can get this update by going to System Settings<\/strong> > General<\/strong> > Software Update<\/strong>.<\/p>\n If your Mac is still running macOS Mojave, Catalina, Big Sur, or Monterey, and your Mac is compatible with macOS Ventura, you can upgrade to macOS Ventura by going to System Preferences<\/strong> > Software Update<\/strong>. If your Mac is running macOS High Sierra or older and is compatible with macOS Ventura, look for macOS Ventura in the Mac App Store and download it from there.<\/p>\n For optimal security, we advise all Mac users to upgrade to macOS Ventura<\/strong> if your Mac supports it\u2014or you may even be able to run macOS Ventura on an unsupported Mac<\/a>, at your own risk.<\/a><\/p>\n <\/p>\n Some devices cannot be upgraded to version 16.x, due to Apple dropping support<\/a> for several iPhone and iPad models, as well as the final model of iPod touch. For those older devices, it’s best to update to 15.7.5<\/a> for now, and replace the devices with 16.x-compatible hardware as soon as possible for optimal security.<\/p>\n If you have an iPhone or iPad that’s compatible with iOS 16 or iPadOS 16, the new 16.4.1 update can be obtained by going to Settings<\/strong> > General<\/strong> > Software Update<\/strong> on your device.<\/a><\/p>\n A corresponding Safari 16.4.1 update for macOS Monterey and macOS Big Sur was also released.<\/p>\n However, the Safari update only addresses one of the two vulnerabilities, namely CVE-2023-28205, the WebKit issue.<\/p>\n Nice work, all! \ud83d\udc4f Can you please comment on whether CVE-2023-28206 also affects macOS Monterey or Big Sur (which were not patched today)?<\/p>\n — Josh Long (the\u00a0JoshMeister) (@theJoshMeister) April 7, 2023<\/a><\/p><\/blockquote>\n\n
\n
macOS Ventura 13.3.1, iOS 16.4.1, and iPadOS 16.4.1<\/h3>\n
What was fixed in macOS Ventura 13.3.1 and iOS\/iPadOS 16.4.1?<\/strong><\/h4>\n
\nCVE-2023-28205: Cl\u00e9ment Lecigne of Google’s Threat Analysis Group and Donncha \u00d3 Cearbhaill of Amnesty International\u2019s Security Lab<\/p><\/blockquote>\n\n
How to update to macOS Ventura 13.3.1<\/strong><\/h4>\n
How to update to iOS 16.4.1 or iPadOS 16.4.1<\/strong><\/h4>\n
Safari 16.4.1 for macOS Monterey and Big Sur<\/h3>\n
It isn’t yet known whether or not<\/s> The other vulnerability, CVE-2023-28206, also affects macOS Monterey and Big Sur; if so,<\/s> the two older Mac operating systems may remain<\/s> remained vulnerable over the weekend. This was not an unprecedented occurrence; Apple frequently leaves previous macOS versions not fully patched<\/a>.\u00a0UPDATE:<\/strong> Apple released additional updates for macOS Monterey and Big Sur on Monday, April 10; see below<\/a>.<\/p>\n\n