On Thursday this week, Apple released updates to the current versions of its operating systems—including fixes for two “actively exploited” vulnerabilities. Let’s take a look at what these updates have to offer in terms of security patches.
Apple’s latest Mac operating system update is available for all supported Macs currently running macOS Monterey. According to Apple, “macOS Monterey 12.3.1 includes bug fixes and security updates for your Mac.”
Only two security-related patches are known to be included in this update, but both of them are quite serious and require urgent patching:
AppleAVD
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: An out-of-bounds write issue was addressed with improved bounds checking. Apple is aware of a report that this issue may have been actively exploited.*
CVE-2022-22675: an anonymous researcher
Intel Graphics Driver
Impact: An application may be able to read kernel memory
Description: An out-of-bounds read issue may lead to the disclosure of kernel memory and was addressed with improved input validation. Apple is aware of a report that this issue may have been actively exploited.*
CVE-2022-22674: an anonymous researcher
*emphasis added
Given that these security vulnerabilities have been actively exploited in the wild, it was necessary for Apple to release this update just two weeks after macOS Monterey 12.3.
For the full list of security patches included in macOS Monterey 12.3.1, have a look here.
This update also addresses the following non-security issues:
You can get this update by going to System Preferences > Software Update, where compatible Macs running macOS Mojave or newer will see the Monterey update appear. If your Mac is running High Sierra or older, look for macOS Monterey in the App Store and download it from there.
Notably, Apple did not release any updates for macOS Big Sur or macOS Catalina, the two previous versions of macOS. Apple typically releases some, but not all, security updates for the “n minus 1″ and “n minus 2″ major macOS versions.
Intego’s Chief Security Analyst, Josh Long, discovered last year that even actively exploited vulnerabilities that affect older versions of macOS do not necessarily get patched for those older macOS versions. See our article, “Apple’s Poor Patching Policies Potentially Make Users’ Security and Privacy Precarious.”
Apple’s Poor Patching Policies Potentially Make Users’ Security and Privacy Precarious
It is not known whether the two in-the-wild vulnerabilities that Apple addressed in macOS Monterey 12.3.1 may also be exploitable in Big Sur or Catalina. Given that both vulnerabilities were reported anonymously, and that Apple has not given much detail about them, we may never know, unless Apple releases corresponding patches at a later date.
Intego has reached out to Apple to inquire as to whether Big Sur or Catalina are impacted by either of the actively exploited vulnerabilities. This article will be updated if Apple responds, or if Apple releases corresponding patches for one or both of the older macOS versions.
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
iOS 15.4.1 includes bug fixes and security updates for your iPhone and is recommended for all users.
Only a single security fix is known to be included with this update: the same “actively exploited” AppleAVD issue that was addressed in macOS Monterey. Users should update quickly to iOS and iPadOS 15.4.1 to stay safe from the in-the-wild vulnerability.
This update also includes the following non-security bug fixes:
User complaints about reduced battery life after an iOS update are nothing new. Often when an iOS or iPadOS update is released, social media and forum posts will claim that the update has reduced battery life. In some cases, simply restarting the device may fix the problem. To have a battery drain issue acknowledged by Apple is refreshing, and to have a software fix available just two weeks after 15.4 rolled out is certainly nice.
Unfortunately, it may take up to 1–4 weeks for any new iOS or iPadOS version to roll out to customers (as discussed on this week’s Intego Mac Podcast episode, number 233), unless users pay attention to third-party Apple or security news sources like Intego’s The Mac Security Blog and manually check for new updates when they’re released.
Given that Apple’s new Studio Display runs a full version of iOS 15.4, it is currently not known if the 15.4.1 update is available for the display as well, or if it even needs it. With a software fix for the poor webcam quality from those displays forthcoming, coupled with the current security vulnerability in 15.4, we will soon find out how Apple plans to deliver software updates to the displays.
Details about the security issue addressed in iOS and iPadOS 15.4.1 can be found here.
Available for: Apple Watch Series 3 and later
The new watchOS 8.5.1 update “includes security updates and bug fixes for your Apple Watch.” However, Apple says that the update “has no published CVE entries” (i.e. no publicly disclosed vulnerabilities) at the time of writing.
It is unclear whether this means that Apple mistakenly used boilerplate text (or intentionally used boilerplate text in case users are updating from a watchOS version older than 8.5, since 8.5.1 includes all the security fixes found in 8.5). It may also imply that watchOS 8.5.1 includes fixes for security issues that have not been given a CVE number.
Intego has inquired of Apple whether or not watchOS 8.5.1 contains non-CVE security fixes. This article will be updated if Apple responds.
To install this update, make sure your iPhone is up to date first, both your phone and watch are connected to the same Wi-Fi network, and the watch has at least a 50% charge. Then open the Watch app on your phone and tap General > Software Update.
Available for: Apple TV 4K and Apple TV HD
Apple notes “This update includes stability improvements when setting up or restoring your Apple TV,” but does not provide any further details. The Apple security updates page states that the update “has no published CVE entries,” and currently does not list any security issues addressed in this update.
The tvOS update can be downloaded directly from the Apple TV by going to Settings > System > Update Software.
Apple’s rarely-mentioned audioOS operating system for HomePod also received an update. Apple has never mentioned audioOS on its security updates page, so it is unclear whether any security issues were addressed in this week’s update.
HomePod updates are generally not urgent, and they are supposed to install automatically. However, if you would like to update your HomePod or HomePod mini’s operating system manually, you can go into the Home app on your iPhone or iPad, then tap the House icon > Home Settings > Software Update > temporarily disable (toggle off) Install Updates Automatically > then tap Install. After updating, remember to re-enable the Install Updates Automatically setting.
Whenever an Apple update addresses an “actively exploited” security issue, it is important to install the update as soon as you can. Thus, you should definitely prioritize installing this week’s macOS Monterey, iOS, and iPadOS updates. This week’s watchOS, tvOS, and audioOS updates are not as urgent.
Whenever you’re preparing to update iOS, iPadOS, or macOS, always back up your data before installing any updates. This gives you a restore point if something does not go as planned.
See also our related article on checking your macOS backups:
This week, in episode 233, Josh and Kirk discussed why iOS updates—including ones containing critical security fixes for actively exploited vulnerabilities—can take up to four weeks to roll out to users. Be sure to follow the podcast to make sure you don’t miss any episodes!
You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: 
