![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2023\/02\/Apple-software-update-red-critical-urgent-600x300-1.png\")
<\/p>\n<\/p>\n
On Thursday, May 18, Apple released updates to all of its operating systems. The updates included new features as well as security-related fixes\u2014including for three “actively exploited” vulnerabilities.<\/p>\n
Let’s take a look at the highlights of each update.<\/p>\n
In this article:<\/em><\/p>\n Notably, every single operating system that was updated this week received patches for three “actively exploited” (i.e. in-the-wild) vulnerabilities<\/strong> in WebKit. Two of these were patched previously for only macOS Ventura, iOS 16, and iPadOS 16, as part of Apple’s first-ever Rapid Security Response update on May 1<\/a>.<\/p>\n WebKit Impact: A remote attacker may be able to break out of Web Content sandbox. Apple is aware of a report that this issue may have been actively exploited.<\/span><\/p>\n Description: The issue was addressed with improved bounds checks.<\/p>\n WebKit Bugzilla: 255350 <\/p>\n Impact: Processing web content may disclose sensitive information. Apple is aware of a report that this issue may have been actively exploited.<\/span><\/p>\n Description: An out-of-bounds read was addressed with improved input validation.<\/p>\n WebKit Bugzilla: 254930 <\/p>\n Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.<\/span><\/p>\n Description: A use-after-free issue was addressed with improved memory management.<\/p>\n WebKit Bugzilla: 254840 All of the updates below include these three urgent patches. (Technically, macOS Monterey and Big Sur received these patches in the form of their separate Safari update.)<\/a><\/p>\n Available for:<\/strong> New features:<\/strong><\/p>\n Enterprise:<\/strong><\/p>\n Improvements and bug fixes:<\/strong><\/p>\n Security-related fixes and updates:<\/strong> Accessibility<\/strong><\/p>\n Impact: Entitlements and privacy permissions granted to this app may be used by a malicious app<\/p>\n Description: This issue was addressed with improved checks.<\/p>\n CVE-2023-32400: Mickey Jin (@patch1t)<\/p>\n <\/p>\n LaunchServices<\/strong><\/p>\n Impact: An app may bypass Gatekeeper checks<\/p>\n Description: A logic issue was addressed with improved checks.<\/p>\n CVE-2023-32352: Wojciech Regu\u0142a (@_r3ggi) of SecuRing (wojciechregula.blog)<\/p>\n <\/p>\n PackageKit<\/strong><\/p>\n Impact: An app may be able to modify protected parts of the file system<\/p>\n Description: A logic issue was addressed with improved state management.<\/p>\n CVE-2023-32355: Mickey Jin (@patch1t)<\/p>\n <\/p>\n Photos Impact: Photos belonging to the Hidden Photos Album could be viewed without authentication through Visual Lookup<\/p>\n Description: The issue was addressed with improved checks.<\/p>\n CVE-2023-32390: Julian Szulc<\/p>\n <\/p>\n Screen Saver Impact: An app may be able to bypass Privacy preferences<\/p>\n Description: A permissions issue was addressed by removing vulnerable code and adding additional checks.<\/p>\n CVE-2023-32363: Mickey Jin (@patch1t)<\/p>\n <\/p>\n Siri Impact: A person with physical access to a device may be able to view contact information from the lock screen<\/p>\n Description: The issue was addressed with improved checks.<\/p>\n CVE-2023-32394: Khiem Tran<\/p><\/blockquote>\n For the full list of security patches included in Ventura 13.4, have a look here<\/a>.<\/p>\n Users of macOS Ventura can get this update by going to System Settings<\/strong> > General<\/strong> > Software Update<\/strong>.<\/p>\n If your Mac is running macOS Mojave, Catalina, Big Sur, or Monterey, and your Mac is compatible with macOS Ventura, you can upgrade to macOS Ventura by going to System Preferences<\/strong> > Software Update<\/strong>. If your Mac is running macOS High Sierra or older and is compatible with macOS Ventura, look for macOS Ventura in the Mac App Store and download it from there.<\/a><\/p>\n Available for:<\/strong> Security-related fixes and updates:<\/strong> For the full list of security patches included in Monterey 12.6.6, have a look here<\/a>.<\/p>\n You can get this update by going to System Preferences<\/strong> > Software Update<\/strong>.<\/a><\/p>\n Available for:<\/strong> Security-related fixes and updates:<\/strong> For the full list of security patches included in Big Sur 11.7.7, have a look here<\/a>.<\/p>\n You can get this update by going to System Preferences<\/strong> > Software Update<\/strong>.<\/a><\/p>\n Available for:<\/strong> This update addresses 5 WebKit issues, the same as those addressed in the macOS updates. Please keep in mind, macOS Big Sur and Monterey users will need to install Safari 16.5 to receive the vulnerability fixes for the potentially exploited vulnerabilities.<\/p>\n The short list of fixes can be seen here<\/a>, and the update is available in System Preferences<\/strong> > Software Update<\/strong> on your Mac. It will pop up as an available update once macOS 12.6.6 or 11.7.7 has been installed.<\/a><\/p>\n Available for:<\/strong> New features & functionality: Enterprise:<\/strong><\/p>\n Improvements and bug fixes:<\/strong><\/p>\n Security-related fixes and updates:<\/strong> The full list of security issues that were addressed can be found here<\/a>. To get your hands on this latest update, connect your device to your Mac and follow the update prompts. You can also download these updates over the air by going to Settings<\/strong> > General<\/strong> > Software Update<\/strong> on your device.<\/a><\/p>\n Available for:<\/strong> Security-related fixes and updates:<\/strong> The full list of security issues that were addressed can be found here<\/a>. To get this latest update, connect your device to your Mac and follow the update prompts. You can also download these updates over the air by going to Settings<\/strong> > General<\/strong> > Software Update<\/strong> on your device.<\/a><\/p>\n Apple has not released a corresponding security update for older devices stuck on iOS 12. The most recent, and possibly final, security update for iOS 12 was released in January 2023, and it only patched a single vulnerability.<\/p>\n Again, users whose devices are incapable of upgrading to iOS or iPadOS 16 should consider buying newer hardware that supports the current, and fully patched, operating systems.<\/a><\/p>\n Available for:<\/strong> Security-related fixes and updates: The full list of security issues that were addressed can be found here<\/a>. To install this update, make sure your iPhone is up to date first, both your phone and watch are connected to the same Wi-Fi network, and the watch has at least a 50% charge. Then open the Watch app on your phone and tap General<\/strong> > Software Update<\/strong>.<\/a><\/p>\n Although this may be the last time we’ll mention it in one of these round-ups, there’s still no watchOS 8 security update for Apple Watch Series 3, which Apple still sold refurbished until March<\/a>. For unknown reasons, Apple chose not to release watchOS 9 for this model. This put the device in an awkward state of limbo for eight months, while Apple still sold it, knowing it was dangerously vulnerable<\/a>. It would appear at this point that Apple intends to leave this watch model in a perpetually vulnerable state.<\/p>\n The most recent update for watchOS 8 was in mid-August 2022, about a month before watchOS 9 came out. The most recent watchOS update that included security fixes came a month prior, in July 2022. (Concerningly, Apple chose not to patch two “actively exploited” vulnerabilities for watchOS 8.7.1 in its August patch cycle. However, both vulnerabilities were later patched in watchOS 9.0.) Now it has been 10 months since the Apple Watch Series 3 has gotten any security updates.<\/p>\n As we’ve mentioned before, simultaneous updates for watchOS versions would not be unprecedented. As recently as late 2020, Apple released simultaneous updates for two or three watchOS versions at a time<\/a>, mainly to support older Apple Watch models.<\/p>\n It’s hard to understand how Apple could justify such seemingly negligent behavior regarding a product that it was still selling.<\/p>\n Intego has asked Apple multiple times<\/a> for an update regarding watchOS 8 security updates for the Apple Watch Series 3, but Apple has continually neglected to respond to our inquiries. It’s quite evident at this point that Apple has no intention of releasing any further security updates for the watch it stopped selling two months ago.<\/p>\n Update:<\/strong> The month after this article was published, Apple released a patch for a single security vulnerability<\/a> affecting watchOS 8\u2014but continued to neglect to patch any of the other major vulnerabilities that have impacted watchOS 8 over the previous 11 months.<\/a><\/p>\n\n
Apple addresses three zero-day vulnerabilities<\/h3>\n
\n<\/strong><\/p>\n
\nCVE-2023-32409: Cl\u00e9ment Lecigne of Google’s Threat Analysis Group and Donncha \u00d3 Cearbhaill of Amnesty International\u2019s Security Lab<\/p>\n
\nCVE-2023-28204: an anonymous researcher
\nThis issue was first addressed in Rapid Security Response macOS 13.3.1 (a).<\/p>\n
\nCVE-2023-32373: an anonymous researcher
\nThis issue was first addressed in Rapid Security Response macOS 13.3.1 (a).<\/p><\/blockquote>\nmacOS Ventura 13.4<\/h3>\n
\nAll supported Macs currently running macOS Ventura<\/p>\n\n
\n\n
\n
\nAt least 51 vulnerabilities were addressed in this update. Aside from the three actively exploited vulnerabilities mentioned above, here are some interesting ones:<\/p>\n
\n<\/strong><\/p>\n
\n<\/strong><\/p>\n
\n<\/strong><\/p>\nmacOS Monterey 12.6.6<\/h3>\n
\nAll supported Macs currently running macOS Monterey<\/p>\n
\nAt least 29 vulnerabilities were addressed. They are a subset of the vulnerabilities addressed in the macOS Ventura update.<\/p>\nmacOS Big Sur 11.7.7<\/h3>\n
\nAll supported Macs currently running macOS Big Sur<\/p>\n
\nAt least 25 vulnerabilities were addressed in this update, all of them the same as those addressed in the macOS Monterey and Ventura updates.<\/p>\nSafari 16.5 for macOS Monterey and Big Sur<\/h3>\n
\nmacOS Big Sur and macOS Monterey.<\/p>\niOS 16.5 and iPadOS 16.5<\/h3>\n
\niPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later<\/p>\n
\n<\/strong><\/p>\n\n
\n
\n
\nAt least 39<\/s> 44<\/strong> vulnerabilities were addressed in this update, most of them the same as those addressed in the macOS updates. For iOS and iPadOS 16.5 the WebKit exploits have been addressed as well.\u00a0Update:\u00a0<\/strong>Apple added five additional vulnerabilities to the list on September 5, 2023.<\/p>\niOS 15.7.6 and iPadOS 15.7.6<\/h3>\n
\niPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)<\/p>\n
\nAt least 17 vulnerabilities were addressed in this update\u2014less than half the number of those addressed in iOS 16.5. Of particular concern, the iOS and iPadOS 15.7.6 updates only patch two of the three actively exploited WebKit vulnerabilities.<\/strong> Users whose devices are incapable of upgrading to iOS or iPadOS 16 should consider buying newer hardware that supports the current, and fully patched, operating systems.<\/p>\niOS 12 \u2014 no updates since January<\/h3>\n
watchOS 9.5<\/h3>\n
\nApple Watch Series 4 and later<\/p>\n
\n<\/strong>At least 32 vulnerabilities were addressed in this update, all of them the same as those covered in the previously mentioned OS updates.<\/p>\nwatchOS 8 \u2014 still no security updates for ten months<\/h3>\n