On Tuesday, December 13, Apple released updates for its operating systems. These included iOS and iPadOS 16.2 as well as macOS Ventura 13.1, introducing new features as well as bug and security fixes. An “actively exploited” (i.e. zero-day, in-the-wild) vulnerability was fixed for most operating systems.
Let’s take a look at some of the new features, bug fixes, and security patches included in these updates.
In this article:
First let’s take a look at the zero-day vulnerability that Apple addressed for multiple operating systems. Apple says of the update:
WebKit
Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.1.
Description: A type confusion issue was addressed with improved state handling.
CVE-2022-42856: Clément Lecigne of Google’s Threat Analysis Group
Thirteen days earlier, Apple addressed this vulnerability in iOS 16.1.2, released on November 30. It was the only security issue that Apple has (so far) indicated was addressed in that update. Strangely, iPadOS didn’t receive an update at the time, and the release notes for this week’s iPadOS 16.2 update do not list this vulnerability as having been addressed.
However, several other operating systems received a fix for this vulnerability in this Tuesday’s patch update cycle:
For unknown reasons, the following operating systems are absent from that list:
It is unclear why these operating systems seemingly remain unpatched. Perhaps the vulnerability does not exist on these operating systems, or perhaps it exists but Apple does not believe it is exploitable. Or perhaps the issue was addressed but Apple just neglected to mention it. Alternatively, perhaps these operating systems remain vulnerable. Any of these scenarios is plausible.
Intego has reached out to Apple for comment. If Apple replies, this article will be updated with the company’s response. Update: Apple publicly acknowledged on December 22 that iPads received this fix in iPadOS 16.2. However, Apple has not yet responded regarding whether watchOS or Windows systems remain vulnerable.
Available for:
Mac Studio (2022), Mac Pro (2019 and later), MacBook Air (2018 and later), MacBook Pro (2017 and later), Mac mini (2018 and later), iMac (2017 and later), MacBook (2017), and iMac Pro (2017)
New features:
Enterprise:
Enterprise users see the welcome return of Network Locations, reliability improvements when using DHCPv6, a resolution for an issue causing printers to be removed after a software update, and more.
Improvements and bug fixes:
Security-related fixes and updates:
At least 36 vulnerabilities were addressed in this update. Here are a few notable ones:
Accounts
Impact: A user may be able to view sensitive user information
Description: This issue was addressed with improved data protection.
AppleMobileFileIntegrity, CoreServices and Printing
Impact: An app may be able to bypass Privacy preferences
Description: This issue was addressed by enabling hardened runtime.
Kernel
Impact: An app may be able to break out of its sandbox
Description: This issue was addressed with improved checks.
Safari
Impact: Visiting a website that frames malicious content may lead to UI spoofing
Description: A spoofing issue existed in the handling of URLs. This issue was addressed with improved input validation.
Of the 36 identified fixes, five are for the kernel (the core of the OS) and 10 are for WebKit (the page-rendering engine used by Safari and other apps). This includes the vulnerability mentioned above that may have been actively exploited. The complete list can be seen here.
This may also be the first version of macOS Ventura that supports Rapid Security Responses, which Apple describes as “a mechanism for shipping security fixes to users more frequently,” but this has not yet been confirmed.
You can get this new macOS update by going to System Preferences > Software Update, where compatible Macs running macOS Mojave or newer will see the Ventura update appear. If your Mac is running macOS High Sierra or older, look for macOS Ventura in the App Store and download it from there.
Available for:
All supported Macs currently running macOS Monterey
Security-related fixes and updates:
At least 13 vulnerabilities were addressed in this update, most of which were also addressed in macOS Ventura 13.1. For the full list of security patches included in Monterey 12.6.2, have a look here.
One notable vulnerability, which Apple disclosed as previously having been silently patched in macOS Ventura 13, was also addressed for both macOS Monterey 12.6.2 and macOS Big Sur 11.7.2:
BOM
Impact: An app may bypass Gatekeeper checks
Description: A logic issue was addressed with improved checks.
CVE-2022-42821: Jonathan Bar Or of Microsoft
For additional details about the Gatekeeper bypass vulnerability, see our featured article about it.
Microsoft discovers new Gatekeeper bypass; Apple updates past security advisories
You can get this update by going to System Preferences > Software Update, where compatible Macs running macOS Mojave or newer will see the Monterey update appear.
Available for:
All supported Macs currently running macOS Big Sur
Security-related fixes and updates:
At least 10 vulnerabilities were addressed in this update, including the aforementioned BOM vulnerability that could be used to bypass Gatekeeper. All of the vulnerabilities addressed in this Big Sur update were also addressed in macOS Monterey 12.6.2. For the full list of security patches included in macOS Big Sur 11.7.2, have a look here.
You can get this update by going to System Preferences > Software Update, where compatible Macs running macOS Mojave or newer will see the Monterey update appear.
Available for:
macOS Monterey and macOS Big Sur
This update addresses the aforementioned 10 WebKit issues fixed in macOS Ventura 13.1, including the one that may have been actively exploited. This Safari update will protect Macs on the latest versions of Monterey and Big Sur from this particular vulnerability. The list of fixes can be seen here.
Safari 16.2 is available in System Preferences > Software Update on Macs running either macOS Monterey or Big Sur. It will appear as an available update once macOS Monterey 12.6.2 or Big Sur 11.7.2 has been installed.
Available for:
iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
New features:
Enterprise:
Enterprise users receive MDM improvements and bug fixes for Siri as well as 802.1X issues. For the full details, have a look here.
Improvements and bug fixes:
Security-related fixes and updates:
At least 35 vulnerabilities were addressed in this update. Here are a few notable ones that are not already covered in the macOS updates:
AppleAVD
Impact: Parsing a maliciously crafted video file may lead to kernel code execution
Description: An out-of-bounds write issue was addressed with improved input validation.
Graphics Driver
Impact: Parsing a maliciously crafted video file may lead to unexpected system termination
Description: The issue was addressed with improved memory handling.
iTunes Store
Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution
Description: An issue existed in the parsing of URLs. This issue was addressed with improved input validation.
Weather
Impact: An app may be able to read sensitive location information
Description: The issue was addressed with improved handling of caches.
The full list of security issues that were addressed can be found here. To get your hands on this latest update, connect your device to your Mac and follow the update prompts. You can also download these updates over the air by going to Settings > General > Software Update on your device.
Available for:
iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Security-related fixes and updates:
At least 17 vulnerabilities were addressed in this update, most of which were included in iOS/iPadOS 16.2. The full list of security issues that were addressed can be found here.
To get this latest update, connect your device to your Mac and follow the update prompts. You can also download these updates over the air by going to Settings > General > Software Update on your device.
Not surprisingly, iOS 12 did not receive a security update today.
We mentioned back in August that it wasn’t yet clear whether old devices stuck on iOS 12 would continue to get security updates after the release of iOS 16 and iPadOS 16. Apple never responded to our inquiries, but the lack of iOS 12 updates since the release of iOS 16 in September—during which time several actively exploited vulnerabilities have evidently remained unpatched on iOS 12—seems to be our answer.
If you still use a device that cannot be upgraded to iOS 16 (for example, an iPhone 6 which is stuck with iOS 12, or an iPhone 6s which is stuck with iOS 15), from a security perspective it’s best to replace the hardware as soon as practical.
Available for:
Apple Watch Series 4 and later
New features:
Improvements and bug fixes:
Security-related fixes and updates:
At least 25 vulnerabilities were addressed in this update, all of which were included in iOS/iPadOS 16.2.
To install this update, make sure your iPhone is up to date first, both your phone and watch are connected to the same Wi-Fi network, and the watch has at least a 50% charge. Then open the Watch app on your phone and tap General > Software Update.
The Apple Watch Series 3 is incompatible with watchOS 9. Apple was still selling new Series 3 units in its online store until the Series 8 and Ultra models were announced on September 7. To this day, more than three months since the release of watchOS 9, Apple continues to sell refurbished Series 3 Apple Watch units online. Meanwhile, exactly zero watchOS 8 updates have been made available for this model.
Simultaneous updates for watchOS versions would not be unprecedented. As recently as late 2020, Apple released simultaneous updates for two or three watchOS versions at a time, mainly to support older Apple Watch models.
Intego inquired of Apple back in October whether security updates for the Series 3 were forthcoming, but we never received any response. We followed up with Apple again today. If Apple responds, this article will be updated accordingly.
Available for:
Apple TV 4K (all generations), and Apple TV HD (aka 4th generation)
New features:
Siri
Apple Music
Security-related fixes and updates:
At least 28 vulnerabilities were addressed in this update, all of which were covered in iOS/iPadOS 16.2, with one addition: the “actively exploited” WebKit vulnerability that was previously fixed in iOS 16.1.2.
Apple’s rarely-mentioned audioOS (also known as HomePod Software, or HomePodOS) for HomePod mini also received an update. Apple has never mentioned this operating system on its security updates page, so it is unclear whether any security issues were addressed in this week’s update.
HomePod updates are generally not urgent, and they are supposed to install automatically. However, if you would like to update your HomePod or HomePod mini’s operating system manually, you can go into the Home app on your iPhone or iPad, then tap the House icon > Home Settings > Software Update > temporarily disable (toggle off) Install Updates Automatically > then tap Install. After updating, remember to re-enable the Install Updates Automatically setting.
Whenever an Apple update addresses an “actively exploited” security issue, it is important to install the update as soon as you can. Thus, you should definitely prioritize installing this week’s macOS Ventura, iOS, and iPadOS updates.
If you have a Mac running Monterey or Big Sur that’s compatible with Ventura, you may wish to update to the new Monterey or Big Sur version, and then as soon as practical, upgrade to macOS Ventura. Here’s why. Generally speaking, it is best to update to the latest Apple OS versions quickly for security reasons. For maximum security, one cannot rely on any minimal security patches Apple may release for previous OS versions.
Apple’s Poor Patching Policies Potentially Make Users’ Security and Privacy Precarious
Whenever you’re preparing to update iOS, iPadOS, or macOS, always back up your data before installing any updates. This gives you a restore point if something does not go as planned.
See also our related article on checking your macOS backups:
For additional details about the Gatekeeper bypass vulnerability, as well as several additional vulnerabilities that Apple didn’t mention on December 13 and added to the release notes on December 22, see our follow-up article.
Microsoft discovers new Gatekeeper bypass; Apple updates past security advisories
We talked about Apple’s latest operating system updates on episode 270:
You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: