On Tuesday, December 19, Apple released operating system updates, primarily to fix various non-security related bugs. The macOS Sonoma update, however, fixed at least one security vulnerability. Let’s take a look at what Apple fixed, and what remains unpatched.
In this article:
Available for:
All supported Macs capable of running macOS Sonoma
Apple’s macOS Sonoma release notes only specify that “This update provides important bug fixes and security updates and is recommended for all users.”
On the company’s security release notes page, Apple links to details about the lone security patch in macOS Sonoma 14.2.1:
WindowServer
Impact: A user who shares their screen may unintentionally share the incorrect content
Description: A session rendering issue was addressed with improved session tracking.
CVE-2023-42940: Craig Hockenberry
You can get this update by going to System Settings > Software Update, where compatible Macs running macOS Mojave or newer will see the Sonoma update appear. If your Mac is running macOS High Sierra or older, look for macOS Sonoma in the App Store and download it from there.
Notably, users of OpenCore Legacy Patcher (i.e. people who run macOS Sonoma on an unsupported Mac) must update to the latest version before upgrading to macOS Sonoma 14.2.1.
In macOS Sonoma 14.2.1, Apple still has yet to address several vulnerabilities. In November, Intego published an exclusive report about major vulnerabilities in open-source components of macOS Sonoma. To this day, macOS Sonoma is still missing a number of major security patches, including one that has been actively exploited in the wild, and two 9.8 out of 10 “critical” vulnerabilities. In total, at least five vulnerabilities in open-source components appear to remain unpatched in macOS Sonoma 14.2.1.
Apple neglects to patch multiple critical vulnerabilities in macOS
Apple also released several other bug-fix updates this week, none of which appear to have included security updates.
(The company’s security release notes page only states that “[each] update has no published CVE entries.” Technically, this doesn’t say much; in theory, the updates could address other security issues that don’t have CVE numbers assigned, or could address vulnerabilities whose CVEs are not yet published. But as far as we know right now, the updates do not patch any security issues.)
The other OS-related updates are as follows:
It’s unclear why we only got iOS 17.2.1 without a corresponding patch for iPadOS; normally, we would get iPadOS 17.2.1 alongside iOS 17.2.1. The only known issue addressed in iOS 17.2.1 was reportedly mentioned in the Japanese release notes, which indicated that it “addresses an issue where the battery may drain quickly under certain conditions.” Perhaps this issue only applied to iPhones, but not iPads.
The Mr. Macintosh blog observed that Apple also updated the following apps on December 19:
Apple typically doesn’t list app updates on its security release notes page (unless, of course, they contain fixes for vulnerabilities).
It is recommended to update as soon as you can.
If you haven’t yet upgraded to macOS Sonoma, be sure to first update your critical software. For example, run Intego’s NetUpdate utility and install all available updates, and then check for updates for all other software that you use regularly. Next, check for macOS updates by going to System Settings > General > Software Update.
If you have any trouble getting the macOS update to show up, either press ⌘R at the Software Update screen, or type in the Terminal softwareupdate -l
(that’s a lowercase L) and press Return/Enter, then check System Settings > General > Software Update again.
Macs running macOS Big Sur or Monterey can get these updates (or upgrade to macOS Sonoma) via System Preferences > Software Update. If you have an iMac Pro or a MacBook Pro (2018) that’s still running macOS High Sierra, look for macOS Sonoma in the Mac App Store and download it from there.
Note that only the latest macOS version (currently, that’s macOS Sonoma) is ever fully patched; older macOS versions only get a subsection of those patches and remain vulnerable. Therefore, staying on the latest macOS version is critically important for maintaining your security and privacy. For more information, see our article, “When does an old Mac become unsafe to use?”
Users of iPhone or iPad can go to Settings > General > Software Update to update iOS or iPadOS on their devices. (This is called an “over the air” or OTA update.) Alternatively, you can connect your device to your Mac, click on the device name in a Finder window sidebar, and check for updates there.
To update watchOS on your Apple Watch, the process is a bit more complicated. First, update your iPhone to the latest operating system it can support (ideally the latest version of iOS 17). Next, ensure that both your iPhone and Apple Watch are on the same Wi-Fi network. Your Apple Watch also needs to have at least a 50% charge. Then open the Watch app on your iPhone and tap General > Software Update.
Whenever you’re preparing to update macOS, iOS, or iPadOS, it’s a good idea to always back up your data before installing any updates. This gives you a restore point if something does not go as planned. See our related article on how to check your macOS backups to ensure they work correctly.
See also our article on how to back up your iPhone or iPad to iCloud and to your Mac.
Should you back up your iPhone to iCloud or your Mac? Here’s how to do both
We discussed the December 19 macOS Sonoma update on episode 324 of the Intego Mac Podcast.
You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: