Update, April 7: Apple has issued urgent newer patches: macOS Ventura 13.3.1, iOS/iPadOS 16.4.1, and Safari 16.4.1.
On Monday, March 27, Apple released security, bug-fix, and feature updates for all of its operating systems, Safari, and more.
Let’s examine what we know about the vulnerabilities that Apple mitigated, and various other highlights of each update.
In this article:
Out of all the updates that were released this week, Apple seems to have only patched a single “actively exploited” (i.e. in-the-wild) vulnerability—for older OS versions that got skipped during last month’s patch cycle.
After not releasing any updates for iOS 15 or iPadOS 15 the company’s February 2023 round of patches, Apple finally address CVE-2023-23529 in this week’s iOS and iPadOS 15.7.4 updates. This vulnerability in WebKit—the page rendering engine used by Safari and other parts of the operating system as well as third-party apps—was previously addressed in iOS and iPadOS 16.3.1, as well as the current and two previous major macOS versions. For more details about this vulnerability, see our article about February’s Apple patches.
Update Now: Urgent fix for macOS Ventura 13.2.1, iOS 16.3.1 resolves major vulnerability
For additional details about the iOS and iPadOS 15.7.4 updates, refer to that section of the article below.
Available for:
All supported Macs currently running macOS Ventura
New features:
Enterprise:
Improvements and bug fixes:
Security updates:
At least 58 vulnerabilities with assigned CVE numbers were addressed in this update. There were also at least 18 other unspecified security improvements for which Apple gave “additional recognition” to individuals who assisted. Here are some notable ones:
Apple Neural Engine
Impact: An app may be able to break out of its sandbox
Description: This issue was addressed with improved checks.
Archive Utility
Impact: An archive may be able to bypass Gatekeeper
Description: The issue was addressed with improved checks.
Find My
Impact: An app may be able to read sensitive location information
Description: A privacy issue was addressed with improved private data redaction for log entries.
Identity Services
Impact: An app may be able to access information about a user’s contacts
Description: A privacy issue was addressed with improved private data redaction for log entries.
Photos
Impact: Photos belonging to the Hidden Photos Album could be viewed without authentication through Visual Lookup
Description: A logic issue was addressed with improved restrictions.
For the full list of security patches included in Ventura 13.3, have a look here.
Reportedly, Apple may have inadvertently introduced a new bug affecting users whose Home folder is stored on an external drive. Users with this uncommon configuration have reported receiving the message, “You are unable to log into the user account ‘[username]’ at this time. Logging into the account failed because an error occurred.” If you don’t have your Home directory on an external storage device, then you don’t need to worry about this bug; it’s important to install macOS Ventura 13.3 to address dozens of security vulnerabilities.
Users of macOS Ventura can get this update by going to System Settings > General > Software Update.
If your Mac is running macOS Mojave, Catalina, Big Sur, or Monterey, and your Mac is compatible with macOS Ventura, you can upgrade to macOS Ventura by going to System Preferences > Software Update. If your Mac is running macOS High Sierra or older and is compatible with macOS Ventura, look for macOS Ventura in the Mac App Store and download it from there.
Available for:
All supported Macs currently running macOS Monterey
Enterprise, improvements and bug fixes:
Security updates:
At least 27 vulnerabilities with assigned CVE numbers were addressed in this update. There were also at least 5 other unspecified security improvements for which Apple gave “additional recognition” to individuals who assisted. These issues overlap with those addressed in the macOS Ventura update—but, notably, significantly fewer issues were patched for this older macOS version, as is typical.
Because Apple is no longer patching every security vulnerability that affects macOS Monterey—Apple’s policy is that “not all known security issues are addressed in previous versions”—we advise users to upgrade to macOS Ventura if your Mac supports it—or even on an unsupported Mac, at your own risk.
For the full list of security patches included in Monterey 12.6.4, have a look here.
You can get this update by going to System Preferences > Software Update.
Available for:
All supported Macs currently running macOS Monterey
Security updates:
At least 25 vulnerabilities with assigned CVE numbers were addressed in this update. There were also at least 5 other unspecified security improvements for which Apple gave “additional recognition” to individuals who assisted. Again, these issues overlap with those addressed in the macOS Ventura update—but, notably, significantly fewer issues were patched for this older macOS version, as is typical.
Because Apple is no longer patching every security vulnerability that affects macOS Big Sur, we advise users to upgrade to macOS Ventura if your Mac supports it—or even on an unsupported Mac, at your own risk.
For the full list of security patches included in Big Sur 11.7.5, have a look here.
You can get this update by going to System Preferences > Software Update.
Available for:
macOS Big Sur and macOS Monterey
This update addresses two WebKit issues with CVE numbers, with three “additional recognitions,” which overlap with those addressed in macOS Ventura.
The short list of fixes can be seen here, and the update is available in System Preferences > Software Update on applicable Macs. It will appear as an available update once macOS 12.6.4 or 11.7.5 has been installed.
Available for:
iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
New features & functionality:
Enterprise:
Improvements and bug fixes:
Security updates:
At least 33 vulnerabilities were addressed in this update, plus 12 “additional recognitions,” most of which are the same issues addressed in the macOS updates.
The full list of security issues that were addressed can be found here. To get the update over the air, go to Settings > General > Software Update on your device.
Available for:
iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)
Security updates:
At least 16 vulnerabilities were addressed in this update, plus two “additional recognitions,” most of which were covered in the previously mentioned OS updates.
Notably, as mentioned above, one “actively exploited” WebKit vulnerability that was addressed last month in iOS and iPadOS 16.3.1 finally got addressed in iOS and iPasOS 15.7.4. It is very concerning that Apple would leave a vulnerability unpatched for so long when it’s known to have been exploited in the wild. Approximately 18% of all iOS and iPadOS devices are currently running version 15.x, according to the latest data from StatCounter. Many of those devices likely cannot be upgraded to version 16.x, due to Apple dropping support for several iPhone and iPad models and the final model of iPod touch.
If your device is capable of running iOS 16, be sure to upgrade to the latest version as soon as possible. Don’t stay behind on iOS 15; it’s significantly less secure, and it’s not worth putting yourself at risk.
The full list of security issues that were addressed can be found here. To get the update over the air, go to Settings > General > Software Update on your device.
Available for:
Studio Display (2022, 27″) — not to be confused with 15–21″ Apple Studio Displays sold from 1998–2004
New features:
Security updates:
This new Studio Display firmware includes a single security fix (addressing CVE-2023-27965) and is only available for macOS Ventura 13.3 users. Interestingly, the same vulnerability was also patched in macOS Ventura 13.3 itself.
Display
Impact: An app may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved state management.
The page mentioning the security fix can be found here. To get this latest update, open System Settings > General > Software Update. If you run into any issues updating your display’s firmware, have a look at Apple’s troubleshooting instructions here.
Available for:
Apple Watch Series 4 and later
Security updates:
At least 16 vulnerabilities were addressed in this update, plus seven “additional recognitions,” each of which was addressed in the previously mentioned OS updates.
The full list of security issues that were addressed can be found here. To install this update, make sure your iPhone is up to date first, both your phone and watch are connected to the same Wi-Fi network, and the watch has at least a 50% charge. Then open the Watch app on your phone and tap General > Software Update.
Meanwhile, there’s still no word on when (or if) Apple Watch Series 3—which Apple still sold refurbished until earlier this month—will get watchOS 8 security updates. Apple has, for unknown reasons, chosen not to release watchOS 9 for this model, putting the device in an awkward state of limbo.
The most recent update for watchOS 8 was in mid-August 2022, about a month before watchOS 9 came out. The most recent watchOS update that included security fixes came a month prior, in July 2022. (Concerningly, Apple chose not to patch two “actively exploited” vulnerabilities for watchOS 8.7.1 in its August patch cycle. However, both vulnerabilities were later patched in watchOS 9.0.) Now it has been more than eight months since the Apple Watch Series 3 has gotten any security updates.
As we’ve mentioned previously, simultaneous updates for watchOS versions would not be unprecedented. As recently as late 2020, Apple released simultaneous updates for two or three watchOS versions at a time, mainly to support older Apple Watch models.
It’s hard to understand how Apple could justify such seemingly negligent behavior regarding a product that it was still selling.
Intego has asked Apple multiple times for an update regarding watchOS 8 security updates for the Apple Watch Series 3, but Apple has neglected to respond to our inquiries.
Apple stops selling Watch Series 3 — eight months after its last security update
New features:
Security updates:
At least 14 vulnerabilities were addressed in this update, plus four “additional recognitions,” each of which was addressed in the previously mentioned OS updates.
The tvOS update can be downloaded directly from the Apple TV by going to Settings > System > Update Software.
Apple’s rarely-mentioned audioOS (also known as HomePod Software, or HomePodOS) for HomePod mini also received an update. Apple has never mentioned this operating system on its security updates page, so it is unclear whether any security issues were addressed in this week’s update.
HomePod updates are generally not urgent, and they are supposed to install automatically. However, if you would like to update your HomePod or HomePod mini’s operating system manually, you can go into the Home app on your iPhone or iPad, then tap the House icon > Home Settings > Software Update > temporarily disable (toggle off) Install Updates Automatically > then tap Install. After updating, remember to re-enable the Install Updates Automatically setting.
On March 30, Apple also released an update to its software development platform, Xcode. Version 14.3 addresses two vulnerabilities, which you can read about here.
If you have Xcode installed on macOS Ventura 13.0 or later, the update will show up under System Settings > General > Software Update.
If you get nothing else out of this article, here are some key points:
It is advisable to update to the latest operating systems as soon as you reasonably can. It’s important to get the benefits of new security fixes as quickly as possible to help you stay protected from hackers and malware.
If you have a Mac running macOS Monterey or Big Sur that’s compatible with Ventura, you may wish to update to the new Monterey or Big Sur version, and then as soon as practical, upgrade to macOS Ventura. Here’s why. Generally speaking, it is best to upgrade to the latest Apple OS versions quickly for security reasons. For maximum security, one cannot rely on any minimal security patches Apple may release for previous OS versions.
Apple’s Poor Patching Policies Potentially Make Users’ Security and Privacy Precarious
Whenever you’re preparing to update iOS, iPadOS, or macOS, always back up your data before installing any updates. This gives you a restore point if something does not go as planned.
See also our related article on how to check your macOS backups to ensure they work correctly.
You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: 
