Apple Patches Two Actively Exploited Vulns in Monterey 12.5.1, iOS and iPadOS 15.6.1
Posted on by Joshua Long
On Wednesday this week, Apple released updates for the current versions of macOS, iOS, and iPadOS to fix two “actively exploited” (i.e. in-the-wild, zero-day) vulnerabilities. Let’s take a look at what these updates have to offer, as well as what Apple might have skipped updating.
macOS Monterey 12.5.1
Apple’s latest Mac operating system update is available for all supported Macs currently running macOS Monterey. According to Apple’s macOS Monterey update release notes, macOS Monterey 12.5.1 “is recommended for all users and improves the security of macOS.”
Only two security-related patches are known to be included in this update, but both of them are quite serious and require urgent patching:
Kernel
Impact: An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.*
Description: An out-of-bounds write issue was addressed with improved bounds checking.
CVE-2022-32894: an anonymous researcher
WebKit
Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.*
Description: An out-of-bounds write issue was addressed with improved bounds checking.
WebKit Bugzilla: 243557
CVE-2022-32893: an anonymous researcher
*emphasis added
Those are all the details that Apple has published regarding the security content of macOS Monterey 12.5.1.
You can get this update by going to System Preferences > Software Update, where compatible Macs running macOS Mojave or newer will see the Monterey update appear. If your Mac is running High Sierra or older, look for macOS Monterey in the App Store and download it from there.
Whither macOS Big Sur and macOS Catalina updates?
Notably, Apple did not release any updates for macOS Big Sur or macOS Catalina, the two previous versions of macOS. Apple typically releases some, but not all, security updates for the “n minus 1″ and “n minus 2″ major macOS versions.
UPDATE: Approximately 90 minutes after this article was published, Apple released Safari 15.6.1 for Big Sur and Catalina to address the WebKit vulnerability. The kernel vulnerability, however—assuming it also affects the two previous macOS versions—has not been patched. We are still awaiting a response from Apple, and will update this article again if we receive a reply or if additional patches become available.
Even actively exploited vulnerabilities that affect older versions of macOS do not necessarily get patched for those older macOS versions. (For more details, see our article, “Apple’s Poor Patching Policies Potentially Make Users’ Security and Privacy Precarious.”)
Back in April of this year, Apple released macOS Monterey 12.3.1, which similarly addressed two actively exploited (i.e. in-the-wild, zero-day) vulnerabilities. Apple waited until 6.5 weeks later—and after significant public pressure resulting from a viral Intego article—before finally releasing patches for macOS Big Sur and macOS Catalina.
Apple Neglects to Patch Two Zero-Day, Wild Vulnerabilities for macOS Big Sur, Catalina
At this time, it is not yet known whether one or both of the in-the-wild vulnerabilities that Apple addressed in macOS Monterey 12.5.1 may also be exploitable in Big Sur or Catalina. Given that both vulnerabilities were reported anonymously, and that Apple has not given much detail about them, we may never know. We could eventually find out, though, if a security researcher reverse-engineers the new Monterey patches, or if Apple decides to release corresponding patches for the older macOS versions at a later date.
This is exactly the right question. Unfortunately, @Apple doesn’t say one way or another. 😒 And the researchers who reported the 2 vulnerabilities are anonymous (as is often the case for actively exploited vulns). So, only way to know is if someone reverse-engineers the patches. https://t.co/CS7Zi64rTH
— Josh Long (the JoshMeister) (@theJoshMeister) August 17, 2022
On Wednesday, Intego reached out to Apple to inquire as to whether Big Sur or Catalina are impacted by either of the actively exploited vulnerabilities. (Intego is aware of at least one other reporter, from Ars Technica, who had also inquired of Apple and was awaiting a response.) This article will be updated if Apple responds, or if Apple releases corresponding patches for one or both of the older macOS versions. UPDATE: As mentioned above, Apple released Safari 15.6.1 for Big Sur and Catalina on Thursday to address the WebKit vulnerability. However, the kernel vulnerability might also affect the two previous macOS versions; if so, Apple has not yet released a patch for it.
Update: Apple released Safari 15.6.1 for macOS Big Sur and Catalina to address the WebKit vulnerability.
However, it remains unknown whether these older macOS versions are affected by the actively exploited kernel vulnerability—and whether Apple will patch them accordingly. https://t.co/iev8lULFTR
— Intego Mac Security (@IntegoSecurity) August 18, 2022
iOS 15.6.1 and iPadOS 15.6.1
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
According to Apple’s iOS 15 update release notes, iOS 15.6.1 “provides important security updates and is recommended for all users.”
The same two security issues that were patched in macOS Monterey 12.5.1 were also patched in iOS and iPadOS 15.6.1. The vulnerability details above are identical to what Apple has said regarding the security content of iOS 15.6.1 and iPadOS 15.6.1.
Unfortunately, it may potentially take as long as 1–4 weeks for any new iOS or iPadOS version to roll out to customers (as discussed on episode 233 of the Intego Mac Podcast). Users who find out about updates sooner through third-party Apple or security news sources, like Intego’s The Mac Security Blog, can manually check for new updates when they’re released.
Given that Apple’s new Studio Display runs a full version of iOS 15 (currently 15.5), it’s possible that a corresponding update might be made available for the display as well, at some point. Given how new the display is, little historical data is available to indicate how often Apple may plan to deliver iOS updates to Studio Displays (although Apple seems to have skipped over iOS 15.6, which was released on July 20).
To install the latest iOS or iPadOS updates, check the Settings app on your device: Settings > General > Software Update. The process is the same regardless of whether you use an iPhone, iPad, or iPod touch.
watchOS 8.7.1
Available for: Apple Watch Series 3
Oddly, Apple also released a new watchOS 8.7.1 update, but it seems to be exclusively available for the Apple Watch Series 3—the oldest watch that Apple still sells. Apple says that the update “has no published CVE entries” (i.e. no formally documented vulnerabilities) at the time of writing. No details regarding watchOS 8.7.1 have been published yet on Apple’s watchOS 8 update release notes page, so it is unclear why only Apple Watch Series 3 received an update.
Intego has inquired of Apple whether watchOS 8.7.1 contains any non-CVE security fixes. We also asked Apple whether watchOS is affected by the vulnerabilities that were just patched for macOS, iOS, and iPadOS, and if so, whether a patch is forthcoming. This article will be updated if Apple responds.
To install this update on your Apple Watch Series 3, make sure your iPhone is up to date first, both your phone and watch are connected to the same Wi-Fi network, and the watch has at least a 50% charge. Then open the Watch app on your phone and tap General > Software Update.
What about tvOS and audioOS?
Apple has apparently not released updates for tvOS (for Apple TV) or audioOS (for HomePod) so far this week.
It is not known whether tvOS contains either of the same vulnerabilities that were patched for macOS, iOS, and iPadOS this week, and if so, whether a patch is forthcoming. Intego has inquired of Apple, and this article will be updated if Apple responds.
Apple has never publicly released any security details regarding HomePod updates, and little information is publicly available regarding audioOS.
Key takeaways
Whenever an Apple update addresses an “actively exploited” security issue, it is important to install the update as soon as you can. Thus, you should definitely prioritize installing this week’s macOS Monterey, iOS, and iPadOS updates. (Note: If you still have macOS Big Sur or Catalina, it’s best to upgrade to macOS Monterey if you can. If your Mac doesn’t support it, consider getting a newer Mac or hacking your Mac to run macOS Monterey.) This week’s watchOS update exclusively for Apple Watch Series 3 may not be as urgent.
Whenever you’re preparing to update iOS, iPadOS, or macOS, always back up your data before installing any updates. This gives you a restore point if something does not go as planned.
See also our related articles on ensuring that your Mac backups are working, and the best approach for backing up your iPhone or iPad:
How can I learn more?
Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, security and privacy stories, and offer practical advice on getting the most out of your Apple devices.
Next week, Kirk and Josh will discuss more about the latest Apple updates on episode 254. Be sure to follow the podcast to make sure you don’t miss any episodes!
You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: