On Monday, December 11, Apple released operating system updates that introduced new features and fixed security vulnerabilities. Although this time Apple didn’t patch any “actively exploited” zero-day vulnerabilities, Apple did address several high severity issues. Let’s take a look at some of the highlights of this week’s updates.
In this article:
Available for:
All supported Macs capable of running macOS Sonoma
Update information:
Enterprise:
Security-related fixes and updates:
At least 40 vulnerabilities with CVEs (and two “additional recognitions”) were addressed in this update. Here are some of the most notable ones:
AppleGraphicsControl
Impact: Processing a maliciously crafted file may lead to unexpected app termination or arbitrary code execution
Description: Multiple memory corruption issues were addressed with improved input validation.
CVE-2023-42902: Ivan Fratric of Google Project Zero, and Michael DePlante (@izobashi) of Trend Micro Zero Day Initiative
CVE-2023-42901, CVE-2023-42903, CVE-2023-42904, CVE-2023-42905, CVE-2023-42906, CVE-2023-42907, CVE-2023-42908, CVE-2023-42909, CVE-2023-42910, CVE-2023-42911, CVE-2023-42912, CVE-2023-42926: Ivan Fratric of Google Project Zero
AppleVA
Impact: Processing an image may lead to arbitrary code execution
Description: The issue was addressed with improved memory handling.
CVE-2023-42882: Ivan Fratric of Google Project Zero
AppleVA
Impact: Processing a file may lead to unexpected app termination or arbitrary code execution
Description: The issue was addressed with improved memory handling.
CVE-2023-42881: Ivan Fratric of Google Project Zero
Entry added December 12, 2023
Bluetooth
Impact: An attacker in a privileged network position may be able to inject keystrokes by spoofing a keyboard
Description: The issue was addressed with improved checks.
CVE-2023-45866: Marc Newlin of SkySafe
CoreServices
Impact: A user may be able to cause unexpected app termination or arbitrary code execution
Description: An out-of-bounds read was addressed with improved bounds checking.
CVE-2023-42886: Koh M. Nakagawa (@tsunek0h)
ImageIO
Impact: Processing an image may lead to arbitrary code execution
Description: The issue was addressed with improved memory handling.
CVE-2023-42898: Junsung Lee
CVE-2023-42899: Meysam Firouzi @R00tkitSMM and Junsung Lee
IOKit
Impact: An app may be able to monitor keystrokes without user permission
Description: An authentication issue was addressed with improved state management.
CVE-2023-42891: an anonymous researcher
Kernel
Impact: An app may be able to break out of its sandbox
Description: The issue was addressed with improved memory handling.
CVE-2023-42914: Eloi Benoist-Vanderbeken (@elvanderb) of Synacktiv (@Synacktiv)
ncurses
Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution
Description: This issue was addressed with improved checks.
CVE-2020-19185, CVE-2020-19186, CVE-2020-19187, CVE-2020-19188, CVE-2020-19189, and CVE-2020-19190
TCC
Impact: An app may be able to access protected user data
Description: A logic issue was addressed with improved checks.
CVE-2023-42932: Zhongquan Li (@Guluisacat)
Vim
Impact: Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution
Description: This issue was addressed by updating to Vim version 9.0.1969.
CVE-2023-5344
WebKit
Impact: Processing web content may lead to arbitrary code execution
Description: The issue was addressed with improved memory handling.
WebKit Bugzilla: 259830
CVE-2023-42890: Pwn2car
For the full list of security patches included in macOS Sonoma 14.2, have a look here.
You can get this update by going to System Settings > Software Update, where compatible Macs running macOS Mojave or newer will see the Sonoma update appear. If your Mac is running macOS High Sierra or older, look for macOS Sonoma in the App Store and download it from there.
Notably, users of OpenCore Legacy Patcher (i.e. people who run macOS Sonoma on an unsupported Mac) must update to the latest version before upgrading to macOS Sonoma 14.2.
In macOS Sonoma 14.2, Apple updated curl to version 8.4.0 to address several vulnerabilities. (Intego published an exclusive report about macOS Sonoma’s curl vulnerabilities in November.) Interestingly, Apple did not mention this fact in its security release notes.
However, macOS Sonoma is still missing a number of major security patches. Intego has discovered that several other critical-severity vulnerabilities, including one that has been actively exploited in the wild, appear to remain unpatched in macOS Sonoma 14.2.
Apple neglects to patch multiple critical vulnerabilities in macOS
Available for:
All supported Macs currently running macOS Ventura
Security-related fixes and updates:
Apple addressed at least 17 vulnerabilities in macOS Ventura 13.6.3. Each one was also addressed in the macOS Sonoma update. Enterprise users did receive the following improvement through the previous 13.6.2 update, which was not covered by us as it contained no security-related content:
MacBook Pro 14-inch and 16-inch computers with Apple silicon no longer start up to a black screen or circled exclamation point after the built-in display’s default refresh rate is changed.
For the full list of security patches included in Ventura 13.6.3, have a look here.
You can get this update by going to System Settings > Software Update.
Available for:
All supported Macs currently running macOS Monterey
Security-related fixes and updates:
Apple addressed at least 15 vulnerabilities in this update. Each one was also addressed in the macOS Sonoma and Ventura updates.
For the full list of security patches included in Monterey 12.7.2, have a look here.
You can get this update by going to System Preferences > Software Update.
Available for:
macOS Ventura and macOS Monterey
This update addresses two WebKit issues (CVE-2023-42883 and CVE-2023-42890), both of which Apple addressed in the macOS Sonoma 14.2 update.
The short list of fixes can be seen here, and the update is available in System Preferences > Software Update on your Mac. It will pop up as an available update once macOS 13.6.3 or 12.7.2 has been installed.
Available for:
iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later
Update information:
This update introduces Journal, an all-new way to reflect on life’s moments and preserve your memories. (Sadly, Journal is not yet available for iPad or Mac.)
This release also includes Action button and Camera enhancements, as well as other features, bug fixes, and security updates for your iPhone.
About Journal:
Enterprise:
allowLiveVoicemail
, to allow enabling or disabling of Live Voicemail via MDM.forcePreserveESIMOnErase
key is set to True.Bug fixes and improvements:
Security-related fixes and updates:
Apple addressed at least 12 vulnerabilities in this update, most of which we covered in the macOS updates.
The full list of security issues that Apple addressed can be found here. To get your hands on this latest update, connect your device to your Mac and follow the update prompts. You can also download these updates over the air by going to Settings > General > Software Update on your device.
Available for:
iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
Security-related fixes and updates:
Apple addressed at least 8 vulnerabilities in this update, most of which we covered in the previously mentioned OS updates.
The full list of security issues that were addressed can be found here. To get this latest update, connect your device to your Mac and follow the update prompts. You can also download these updates over the air by going to Settings > General > Software Update on your device.
Available for:
Apple Watch Series 4 and later
Update information:
watchOS 10.2 includes new features, improvements, and bug fixes, including:
Security-related fixes and updates:
Apple addressed at least 9 vulnerabilities in this update, most of which we covered in the previously mentioned OS updates.
The full list of security issues that Apple addressed can be found here. To install this update, make sure your iPhone is up to date first, both your phone and watch are connected to the same Wi-Fi network, and the watch has at least a 50% charge. Then open the Watch app on your phone and tap General > Software Update.
Update information:
This update enhances the FaceTime, Fitness, and Apple TV apps, streamlines voice search in supported apps, adds new support for Siri, and includes performance and stability improvements.
Security-related fixes and updates:
Apple addressed at least 8 vulnerabilities in this update, most of which we covered in the previously mentioned OS updates.
The full list of security issues that Apple addressed can be found here.
Apple’s rarely-mentioned audioOS (also known as HomePod Software, or HomePodOS) was also updated. Apple has never mentioned this operating system on its security updates page, so it is unclear whether any security issues were addressed in this week’s update.
However, according to the Mr. Macintosh blog, which keeps track of OS version numbers, the audioOS build number always matches that of tvOS, which seems to imply that the HomePod runs essentially the same operating system as the Apple TV.
HomePod updates are generally not urgent, and they are supposed to install automatically. However, if you would like to update your HomePod or HomePod mini’s operating system manually, you can go into the Home app on your iPhone or iPad, then tap the House icon > Home Settings > Software Update > temporarily disable (toggle off) Install Updates Automatically > then tap Install. After updating, remember to re-enable the Install Updates Automatically setting.
Aside from the aforementioned vulnerabilities that remain in macOS Sonoma 14.2, there were also some older OS versions that Apple didn’t update this week.
Apple did not release any security patches for iOS 15 or iPadOS 15 today, either. As the two-versions-old mobile operating systems, both receive only minimal patches, if any, at this point.
Many devices such as iPhone 6S, iPhone SE (1st generation), iPhone 7, and iPads of a similar vintage, are only able to run version 15 of their respective operating systems. Therefore, they presumably remain vulnerable to both of the actively exploited WebKit vulnerabilities as of today. It remains to be seen when—or if—Apple will release further patches for iOS 15 or iPadOS 15 for these devices. Apple’s most recent update for these operating systems was just over a month ago, on October 25.
To reiterate, Apple does not patch all applicable security vulnerabilities for previous operating system versions, such as iOS 15. If your device cannot be upgraded to iOS 17, it’s best to buy newer hardware.
It has been nearly 11 months since Apple last released a security update for older devices stuck on iOS 12. The most recent, and probably final, security update for iOS 12 was released in January 2023, and it only patched a single vulnerability.
Again, users whose devices are incapable of upgrading to iOS or iPadOS 17 should consider buying newer hardware that supports the current, and fully patched, operating systems.
Likewise, there wasn’t a watchOS 9 update today, either.
It remains to be seen whether Apple will continue patching watchOS 9. Every Apple Watch model that was compatible with watchOS 9 (namely, Series 4 and later) is also compatible with watchOS 10, so there’s little reason for Apple to patch watchOS 9 anymore.
The most recent watchOS 9 security update was released in September. Since then, Apple has released security updates for watchOS 10 only once, but that update addressed 11 vulnerabilities—at least some of which likely affect watchOS 9 as well.
Unsurprisingly, watchOS 8 didn’t get an update, either. The only Apple Watch model that’s stuck with watchOS 8 is the Apple Watch Series 3. Apple sold the Series 3 until March 2023—even after the company had seemingly ceased all updates for watchOS 8. Apple did release a single update, patching a single vulnerability in watchOS 8, in June 2023, but this has been the only vulnerability Apple has patched for the OS from July 2022 to present.
All Apple Watch models older than the Series 4 should be considered perpetually vulnerable, and unsafe to use.
It is recommended to update as soon as you can.
If you haven’t yet upgraded to macOS Sonoma, be sure to first update your critical software. For example, run Intego’s NetUpdate utility and install all available updates, and then check for updates for all other software that you use regularly. Next, check for macOS updates by going to System Settings > General > Software Update.
If you have any trouble getting the macOS update to show up, either press ⌘R at the Software Update screen, or type in the Terminal softwareupdate -l
(that’s a lowercase L) and press Return/Enter, then check System Settings > General > Software Update again.
Macs running macOS Big Sur or Monterey can get these updates (or upgrade to macOS Sonoma) via System Preferences > Software Update. If you have an iMac Pro or a MacBook Pro (2018) that’s still running macOS High Sierra, look for macOS Sonoma in the Mac App Store and download it from there.
Note that only the latest macOS version (currently, that’s macOS Sonoma) is ever fully patched; older macOS versions only get a subsection of those patches and remain vulnerable. Therefore, staying on the latest macOS version is critically important for maintaining your security and privacy. For more information, see our article, “When does an old Mac become unsafe to use?”
Users of iPhone or iPad can go to Settings > General > Software Update to update iOS or iPadOS on their devices. (This is called an “over the air” or OTA update.) Alternatively, you can connect your device to your Mac, click on the device name in a Finder window sidebar, and check for updates there.
To update watchOS on your Apple Watch, the process is a bit more complicated. First, update your iPhone to the latest operating system it can support (ideally the latest version of iOS 17). Next, ensure that both your iPhone and Apple Watch are on the same Wi-Fi network. Your Apple Watch also needs to have at least a 50% charge. Then open the Watch app on your iPhone and tap General > Software Update.
Whenever you’re preparing to update macOS, iOS, or iPadOS, it’s a good idea to always back up your data before installing any updates. This gives you a restore point if something does not go as planned. See our related article on how to check your macOS backups to ensure they work correctly.
See also our article on how to back up your iPhone or iPad to iCloud and to your Mac.
Should you back up your iPhone to iCloud or your Mac? Here’s how to do both
You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: