On Monday, January 22, Apple released operating system updates that introduced new features and fixed security vulnerabilities. According to Apple, one of those vulnerabilities “may have been exploited” in the wild. Let’s take a look at some of the highlights of this week’s updates.
In this article:
Available for:
All supported Macs capable of running macOS Sonoma
Update information:
Enterprise:
Security-related fixes and updates:
At least 17 vulnerabilities were addressed in this update. Here are a few interesting ones:
Finder
Impact: An app may be able to access sensitive user data
Description: The issue was addressed with improved checks.Mail Search
Impact: An app may be able to access sensitive user data
Description: This issue was addressed with improved redaction of sensitive information.Safari
Impact: A user’s private browsing activity may be visible in Settings
Description: A privacy issue was addressed with improved handling of user preferences.Shortcuts
Impact: A shortcut may be able to use sensitive data with certain actions without prompting the user
and, An app may be able to bypass certain Privacy preferences
Description: The issue was addressed with additional permissions checks
and, A privacy issue was addressed with improved handling of temporary files.Time Zone
Impact: An app may be able to view a user’s phone number in system logs
Description: This issue was addressed with improved redaction of sensitive information.
WebKit often receives security-related fixes with each update, and this time is no exception. However, one of the WebKit patches included in this update is quite serious:
WebKit
Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited.
Description: A type confusion issue was addressed with improved checks.
For the full list of security patches included in macOS Sonoma 14.3, have a look here.
Meanwhile, the open-source component LibreSSL appears to still contain critical unpatched vulnerabilities. See our detailed report about these known vulnerabilities that affect every Mac today.
Apple neglects to patch multiple critical vulnerabilities in macOS
You can get this update by going to System Settings > Software Update, where compatible Macs running macOS Mojave or newer will see the Sonoma update appear. If your Mac is running macOS High Sierra or older, look for macOS Sonoma in the App Store and download it from there.
Notably, users of OpenCore Legacy Patcher (i.e. people who run macOS Sonoma on an unsupported Mac) must update to the latest version before attempting to update to the latest version of macOS Sonoma.
Available for:
All supported Macs currently running macOS Ventura
Security-related fixes and updates:
At least 13 vulnerabilities were addressed. Most of them the same as those addressed in the macOS Sonoma update, including the fix for the exploited WebKit vulnerability. Enterprise users also received the following improvement:
Xsan volumes no longer fail to mount automatically.
A few of the fixes in this update, that are not found in the macOS Sonoma update (because they were previously patched in earlier Sonoma updates) are:
Core Data
Impact: An app may be able to bypass Privacy preferences
Description: This issue was addressed by removing the vulnerable code.curl
Impact: Multiple issues in curl
Description: Multiple issues were addressed by updating to curl version 8.4.0LoginWindow
Impact: A local attacker may be able to view the previous logged in user’s desktop from the fast user switching screen
Description: An authentication issue was addressed with improved state management.
For the full list of security patches included in macOS Ventura 13.6.4, have a look here.
You can get this update by going to System Settings > Software Update.
Available for:
All supported Macs currently running macOS Monterey
Security-related fixes and updates:
At least nine vulnerabilities were addressed in this update, overlapping with some of those addressed in the macOS Sonoma and Ventura updates.
For the full list of security patches included in macOS Monterey 12.7.3, have a look here.
You can get this update by going to System Preferences > Software Update.
This update addresses four WebKit issues, the same as those addressed in the macOS Sonoma 14.3 update.
The short list of fixes can be seen here, and the update is available in System Preferences > Software Update on your Mac. It will pop up as an available update once macOS 13.6.4 or 12.7.3 has been installed.
Available for:
iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later
Update information:
This update introduces additional security measures with Stolen Device Protection. This release also includes a new Unity wallpaper to honor Black history and culture in celebration of Black History Month, as well as other features, bug fixes, and security updates for your iPhone.
About Stolen Device Protection:
More information about this feature can be found here on Apple’s site. You can also check out our write-up of how to set up Stolen Device Protection on your iPhone, and why we recommend it.
Other new features:
Enterprise:
Bug fixes & improvements:
Security-related fixes and updates:
At least 16 vulnerabilities were addressed in this update, many of them the same as those addressed in the aforementioned macOS updates.
One fix unique to iOS and iPadOS 17.3 is for an issue with the new Stolen Device Protection:
Reset Services
Impact: Stolen Device Protection may be unexpectedly disabled
Description: The issue was addressed with improved authentication.
The full list of security issues that were addressed can be found here. To get your hands on this latest update, connect your device to your Mac and follow the update prompts. You can also download these updates over the air by going to Settings > General > Software Update on your device.
Available for:
iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
Security-related fixes and updates:
At least eight vulnerabilities were addressed in this update, all of them the same as those covered in the previously mentioned OS updates.
The full list of security issues that were addressed can be found here. To get this latest update, connect your device to your Mac and follow the update prompts. You can also download these updates over the air by going to Settings > General > Software Update on your device.
Available for:
iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)
Security-related fixes and updates:
Although only two updates are listed for 15.8.1, they are both significant. Both involve WebKit vulnerabilities that may have been exploited in the past.
WebKit
Impact: Processing web content may disclose sensitive information. Apple is aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1.
Description: An out-of-bounds read was addressed with improved input validation.WebKit
Impact: Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1.
Description: A memory corruption vulnerability was addressed with improved locking.
See here to read Apple’s brief document about this update.
To get this latest update, connect your device to your Mac and follow the update prompts. You can also download these updates over the air by going to Settings > General > Software Update on your device.
Available for:
Apple Watch Series 4 and later
Update information:
Security-related fixes and updates:
At least 12 vulnerabilities were addressed in this update, all of them the same as those covered in the previously mentioned OS updates.
The full list of security issues that were addressed can be found here. To install this update, make sure your iPhone is up to date first, both your phone and watch are connected to the same Wi-Fi network, and the watch has at least a 50% charge. Then open the Watch app on your phone and tap General > Software Update.
The full list of security issues that were addressed can be found here.
Every update that was released today, with the exception of watchOS 10.3, includes a fix for a vulnerability that has reportedly been exploited in the wild. It is therefore ideal to update as soon as you reasonably can.
If you haven’t yet upgraded to macOS Sonoma, be sure to first update your critical software. For example, run Intego’s NetUpdate utility and install all available updates, and then check for updates for all other software that you use regularly. Next, check for macOS updates by going to System Settings > General > Software Update.
If you have any trouble getting the macOS update to show up, either press ⌘R at the Software Update screen, or type in the Terminal softwareupdate -l
(that’s a lowercase L) and press Return/Enter, then check System Settings > General > Software Update again.
Macs running macOS Big Sur or Monterey can get these updates (or upgrade to macOS Sonoma) via System Preferences > Software Update. If you have an iMac Pro or a MacBook Pro (2018) that’s still running macOS High Sierra, look for macOS Sonoma in the Mac App Store and download it from there.
Note that only the latest macOS version (currently, that’s macOS Sonoma) is ever fully patched; older macOS versions only get a subsection of those patches and remain vulnerable. Therefore, staying on the latest macOS version is critically important for maintaining your security and privacy. For more information, see our article, “When does an old Mac become unsafe to use?”
Users of iPhone or iPad can go to Settings > General > Software Update to update iOS or iPadOS on their devices. (This is called an “over the air” or OTA update.) Alternatively, you can connect your device to your Mac, click on the device name in a Finder window sidebar, and check for updates there.
To update watchOS on your Apple Watch, the process is a bit more complicated. First, update your iPhone to the latest operating system it can support (ideally the latest version of iOS 17). Next, ensure that both your iPhone and Apple Watch are on the same Wi-Fi network. Your Apple Watch also needs to have at least a 50% charge. Then open the Watch app on your iPhone and tap General > Software Update.
Whenever you’re preparing to update macOS, iOS, or iPadOS, it’s a good idea to always back up your data before installing any updates. This gives you a restore point if something does not go as planned. See our related article on how to check your macOS backups to ensure they work correctly.
See also our article on how to back up your iPhone or iPad to iCloud and to your Mac.
Should you back up your iPhone to iCloud or your Mac? Here’s how to do both
You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: