![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2023\/02\/Apple-software-update-red-critical-urgent-600x300-1.png\")
<\/p>\n<\/p>\n
On Monday, July 24, Apple released updates to its current operating systems as well as a few older ones. The updates fixed some bugs as well as security vulnerabilities\u2014including “actively exploited” vulnerabilities.<\/p>\n
Let’s take a look at some of the highlights of these updates.<\/p>\n
In this article:<\/em><\/p>\n In total, this week’s patches addressed three vulnerabilities Apple describes as “actively exploited,” meaning they are known to have been used in real-world attacks. An “actively exploited” vulnerability is also sometimes referred to as a “zero-day” or “in-the-wild” vulnerability.<\/p>\n Two of the three have previously been addressed in past patches and are now available to more Apple operating systems.<\/p>\n The brand-new “actively exploited” vulnerability addressed for the first time in this week’s updates is a kernel vulnerability named CVE-2023-38606. Based on the information Apple has provided, it appears that this vulnerability may have been used in attacks against iPhones in Russia, as part of the Operation Triangulation attack campaign used to spread TriangleDB iPhone spyware<\/a>.<\/p>\n Kernel Impact: An app may be able to modify sensitive kernel state. Apple is aware of a report that this issue may have been actively exploited<\/span> against versions of iOS released before iOS 15.7.1.<\/p>\n Description: This issue was addressed with improved state management.<\/p>\n CVE-2023-38606: Valentin Pashkov, Mikhail Vinogradov, Georgy Kucherin (@kucher1n), Leonid Bezvershenko (@bzvr_), and Boris Larin (@oct0xor) of Kaspersky<\/p><\/blockquote>\n Another actively exploited vulnerability\u2014CVE-2023-37450, a WebKit issue previously addressed in this month’s Rapid Security Response updates<\/a>\u2014was re-released for the same operating systems, and also brought for the first time to watchOS 9 and tvOS 16. Notably, iOS 15 and iPadOS 15 appear not<\/em><\/strong> to have received patches for this vulnerability.<\/p>\n WebKit<\/strong><\/p>\n Impact: Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.<\/span><\/p>\n Description: The issue was addressed with improved checks.<\/p>\n CVE-2023-37450: an anonymous researcher<\/p><\/blockquote>\n Finally, iOS 15.7.8 and iPadOS 15.7.8 apparently received a patch for CVE-2023-32409, a WebKit vulnerability that was patched for other Apple operating systems back on May 18<\/a>.<\/p>\n WebKit Impact: A remote attacker may be able to break out of Web Content sandbox. Apple is aware of a report that this issue may have been actively exploited.<\/span><\/p>\n Description: The issue was addressed with improved bounds checks.<\/p>\n WebKit Bugzilla: 255350 Available for:<\/strong> Update information:<\/strong><\/p>\n Apple did not specify which bugs were fixed, nor did it provide any details for enterprise users.<\/p>\n Security-related fixes and updates:<\/strong> AppleMobileFileIntegrity Assets Shortcuts Out of all addressed issues, eight were WebKit related and 11 were kernel related. For the full list of security patches included in Ventura 13.5, have a look here<\/a>.<\/p>\n You can get this update by going to System Preferences<\/strong> > Software Update<\/strong>, where compatible Macs running macOS Mojave or newer will see the Monterey update appear. If your Mac is running macOS High Sierra or older, look for macOS Ventura in the App Store and download it from there.<\/a><\/p>\n Available for:<\/strong> Security-related fixes and updates:<\/strong> You can get this update by going to System Preferences<\/strong> > Software Update<\/strong>.<\/a><\/p>\n Available for:<\/strong> Security-related fixes and updates:<\/strong> You can get this update by going to System Preferences<\/strong> > Software Update<\/strong>.<\/a><\/p>\n Available for:<\/strong> This update addresses at least seven WebKit issues that were also addressed for macOS Ventura. The short list of fixes can be seen here<\/a>, and the update is available to applicable Macs via System Preferences<\/strong> > Software Update<\/strong>. It will pop up as an available update once macOS 12.6.8 or 11.7.9 has been installed.<\/a><\/p>\n Available for:<\/strong> Enterprise:<\/strong><\/p>\n Security-related fixes and updates:<\/strong> To get the latest update, you can connect your device to your Mac to back it up and install the update. Alternatively, you can download these updates over the air (i.e. directly onto the device) by going to Settings<\/strong> > General<\/strong> > Software Update<\/strong>\u00a0on your device.<\/a><\/p>\n Available for:<\/strong> Security-related fixes and updates:<\/strong> To get this update, you can connect your device to your Mac to back it up and install the update. Alternatively, you can\u00a0download these updates over the air by going to Settings<\/strong> > General<\/strong> > Software Update<\/strong> on your device.<\/a><\/p>\n Available for:<\/strong> Security-related fixes and updates: The full list of security issues that were addressed can be found here<\/a>. To install this update, make sure your iPhone is up to date first, both your phone and watch are connected to the same Wi-Fi network, and the watch has at least a 50% charge.<\/a> Then open the Watch app on your phone and tap General<\/strong> > Software Update<\/strong>.<\/p>\n Meanwhile, Apple has once again left users of Apple Watch Series 3\u2014which Apple was still selling until mid-March 2023<\/a>\u2014out in the cold with no security updates.<\/p>\n Apple has only patched a single vulnerability for watchOS 8 in the past 12 months<\/a>, providing little more than a false sense of security to Apple Watch Series 3 users.<\/a><\/p>\n New Features<\/strong><\/p>\n Security-related fixes and updates:<\/strong> The full list of security issues that were addressed can be found here<\/a>.<\/a><\/p>\n Apple’s rarely-mentioned audioOS (also known as HomePod Software, or HomePodOS) was also updated. Apple has never mentioned this operating system on its security updates page<\/a>, so it is unclear whether any security issues were addressed in this week’s update. However, according to the Mr. Macintosh blog<\/a>, which keeps track of OS version numbers, the audioOS build numbers match those of tvOS, which seems to imply that the HomePod runs essentially the same operating system as the Apple TV.<\/p>\n HomePod updates are generally not urgent, and they are supposed to install automatically. However, if you would like to update your HomePod or HomePod mini’s operating system manually, you can go into the Home<\/strong> app on your iPhone or iPad, then tap the\u00a0House icon<\/strong> > Home Settings<\/strong> > Software Update<\/strong> > temporarily disable (toggle off) Install Updates Automatically<\/strong> > then tap Install<\/strong>. After updating, remember to re-enable the Install Updates Automatically<\/strong> setting.<\/a><\/p>\n If you get nothing else out of this article, here are some key points:<\/p>\n All operating systems mentioned in this article received a fix for the new “actively exploited” kernel vulnerability identified as CVE-2023-38606. However, the actively exploited WebKit vulnerability known as CVE-2023-37450\u2014which was originally addressed by the Rapid Security Response earlier this month<\/a>\u2014evidently remains unpatched in iOS 15.7.8 and iPadOS 15.7.8, as well as watchOS 8.8.1 (the latest watchOS available for the Apple Watch Series 3)<\/a>.<\/p>\n It is advisable to update to the latest operating systems as soon as you reasonably can, especially when Apple releases a Rapid Security Response or otherwise warns that there are “actively exploited” vulnerabilities in the wild. It’s important to get the benefits of new security fixes as quickly as possible to help you stay protected from hackers and malware.<\/p>\n If you have a Mac running macOS Monterey or Big Sur that’s compatible with Ventura, you may wish to update to the current Monterey or Big Sur version, and then as soon as practical, upgrade to macOS Ventura. Here’s why.<\/a> Generally speaking, it is best to upgrade to the latest Apple OS versions quickly for security reasons. For maximum security, one cannot rely on any minimal security patches Apple may release for previous OS versions.<\/p>\n\n
\n
Apple addresses zero-day vulnerabilities<\/h3>\n
\n<\/strong><\/p>\n
\n<\/strong><\/p>\n
\nCVE-2023-32409: Cl\u00e9ment Lecigne of Google’s Threat Analysis Group and Donncha \u00d3 Cearbhaill of Amnesty International\u2019s Security Lab<\/a><\/p><\/blockquote>\nmacOS Ventura 13.5<\/h3>\n
\nAll supported Macs currently running macOS Ventura<\/p>\n\n
\nAt least 42 vulnerabilities were addressed in this update. Aside from the actively exploited ones discussed earlier, here are a few other interesting ones:<\/p>\n
\n<\/strong>Impact: An app may be able to determine a user\u2019s current location
\nDescription: A downgrade issue affecting Intel-based Mac computers was addressed with additional code-signing restrictions.<\/p>\n
\n<\/strong>Impact: An app may be able to modify protected parts of the file system
\nDescription: This issue was addressed with improved data protection.<\/p>\n
\n<\/strong>Impact: A shortcut may be able to modify sensitive Shortcuts app settings
\nDescription: An access issue was addressed with improved access restrictions.<\/p><\/blockquote>\nmacOS Monterey 12.6.8<\/h3>\n
\nAll supported Macs currently running macOS Monterey<\/p>\n
\nAt least 22 vulnerabilities were addressed, all of which were addressed in the macOS Ventura update. For the full list of security patches included in Monterey 12.6.8, have a look here<\/a>.<\/p>\nmacOS Big Sur 11.7.9<\/h3>\n
\nAll supported Macs currently running macOS Big Sur<\/p>\n
\nAt least 18 vulnerabilities were addressed in this update, all of them the same as those addressed in the macOS Monterey and Ventura updates. For the full list of security patches included in Big Sur 11.7.9, have a look here<\/a>.<\/p>\nSafari 16.6 for macOS Monterey and Big Sur<\/h3>\n
\nmacOS Big Sur and macOS Monterey.<\/p>\niOS 16.6 and iPadOS 16.6<\/h3>\n
\niPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later<\/p>\n\n
\nAt least 25 vulnerabilities were addressed in this update, most of them the same as those addressed in the macOS updates. The full list of security issues that were addressed can be found here<\/a>.<\/p>\niOS 15.7.8 and iPadOS 15.7.8<\/h3>\n
\niPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)<\/p>\n
\nAt least 11 vulnerabilities were addressed in this update, all of which were either covered in this week’s or prior iOS 16 updates. The full list of security issues that were addressed can be found here<\/a>.<\/p>\nwatchOS 9.6<\/h3>\n
\nApple Watch Series 4 and later<\/p>\n
\n<\/strong>At least 18 vulnerabilities were addressed in this update, all of them the same as those covered in the previously mentioned OS updates.<\/p>\nwatchOS 8 users spurned once again<\/strong><\/h4>\n
tvOS 16.6<\/h3>\n
Available for:<\/strong>
\nApple TV 4K (all models) and Apple TV HD<\/div>\n\n
\nAt least 13 vulnerabilities were addressed in this update, all of them the same as those covered in the previously mentioned OS updates.<\/p>\naudioOS 16.6<\/h3>\n
Key takeaways<\/h3>\n
\n
\n