Site icon The Mac Security Blog

Urgent: macOS Ventura 13.5, iOS 16.6, etc. fix major kernel vulnerability

On Monday, July 24, Apple released updates to its current operating systems as well as a few older ones. The updates fixed some bugs as well as security vulnerabilities—including “actively exploited” vulnerabilities.

Let’s take a look at some of the highlights of these updates.

In this article:

Apple addresses zero-day vulnerabilities

In total, this week’s patches addressed three vulnerabilities Apple describes as “actively exploited,” meaning they are known to have been used in real-world attacks. An “actively exploited” vulnerability is also sometimes referred to as a “zero-day” or “in-the-wild” vulnerability.

Two of the three have previously been addressed in past patches and are now available to more Apple operating systems.

The brand-new “actively exploited” vulnerability addressed for the first time in this week’s updates is a kernel vulnerability named CVE-2023-38606. Based on the information Apple has provided, it appears that this vulnerability may have been used in attacks against iPhones in Russia, as part of the Operation Triangulation attack campaign used to spread TriangleDB iPhone spyware.

Kernel

Impact: An app may be able to modify sensitive kernel state. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.1.

Description: This issue was addressed with improved state management.

CVE-2023-38606: Valentin Pashkov, Mikhail Vinogradov, Georgy Kucherin (@kucher1n), Leonid Bezvershenko (@bzvr_), and Boris Larin (@oct0xor) of Kaspersky

Another actively exploited vulnerability—CVE-2023-37450, a WebKit issue previously addressed in this month’s Rapid Security Response updates—was re-released for the same operating systems, and also brought for the first time to watchOS 9 and tvOS 16. Notably, iOS 15 and iPadOS 15 appear not to have received patches for this vulnerability.

WebKit

Impact: Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Description: The issue was addressed with improved checks.

CVE-2023-37450: an anonymous researcher

Finally, iOS 15.7.8 and iPadOS 15.7.8 apparently received a patch for CVE-2023-32409, a WebKit vulnerability that was patched for other Apple operating systems back on May 18.

WebKit

Impact: A remote attacker may be able to break out of Web Content sandbox. Apple is aware of a report that this issue may have been actively exploited.

Description: The issue was addressed with improved bounds checks.

WebKit Bugzilla: 255350
CVE-2023-32409: Clément Lecigne of Google’s Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International’s Security Lab

macOS Ventura 13.5

Available for:
All supported Macs currently running macOS Ventura

Update information:

Apple did not specify which bugs were fixed, nor did it provide any details for enterprise users.

Security-related fixes and updates:
At least 42 vulnerabilities were addressed in this update. Aside from the actively exploited ones discussed earlier, here are a few other interesting ones:

AppleMobileFileIntegrity
Impact: An app may be able to determine a user’s current location
Description: A downgrade issue affecting Intel-based Mac computers was addressed with additional code-signing restrictions.

Assets
Impact: An app may be able to modify protected parts of the file system
Description: This issue was addressed with improved data protection.

Shortcuts
Impact: A shortcut may be able to modify sensitive Shortcuts app settings
Description: An access issue was addressed with improved access restrictions.

Out of all addressed issues, eight were WebKit related and 11 were kernel related. For the full list of security patches included in Ventura 13.5, have a look here.

You can get this update by going to System Preferences > Software Update, where compatible Macs running macOS Mojave or newer will see the Monterey update appear. If your Mac is running macOS High Sierra or older, look for macOS Ventura in the App Store and download it from there.

macOS Monterey 12.6.8

Available for:
All supported Macs currently running macOS Monterey

Security-related fixes and updates:
At least 22 vulnerabilities were addressed, all of which were addressed in the macOS Ventura update. For the full list of security patches included in Monterey 12.6.8, have a look here.

You can get this update by going to System Preferences > Software Update.

macOS Big Sur 11.7.9

Available for:
All supported Macs currently running macOS Big Sur

Security-related fixes and updates:
At least 18 vulnerabilities were addressed in this update, all of them the same as those addressed in the macOS Monterey and Ventura updates. For the full list of security patches included in Big Sur 11.7.9, have a look here.

You can get this update by going to System Preferences > Software Update.

Safari 16.6 for macOS Monterey and Big Sur

Available for:
macOS Big Sur and macOS Monterey.

This update addresses at least seven WebKit issues that were also addressed for macOS Ventura. The short list of fixes can be seen here, and the update is available to applicable Macs via System Preferences > Software Update. It will pop up as an available update once macOS 12.6.8 or 11.7.9 has been installed.

iOS 16.6 and iPadOS 16.6

Available for:
iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Enterprise:

Security-related fixes and updates:
At least 25 vulnerabilities were addressed in this update, most of them the same as those addressed in the macOS updates. The full list of security issues that were addressed can be found here.

To get the latest update, you can connect your device to your Mac to back it up and install the update. Alternatively, you can download these updates over the air (i.e. directly onto the device) by going to Settings > General > Software Update on your device.

iOS 15.7.8 and iPadOS 15.7.8

Available for:
iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)

Security-related fixes and updates:
At least 11 vulnerabilities were addressed in this update, all of which were either covered in this week’s or prior iOS 16 updates. The full list of security issues that were addressed can be found here.

To get this update, you can connect your device to your Mac to back it up and install the update. Alternatively, you can download these updates over the air by going to Settings > General > Software Update on your device.

watchOS 9.6

Available for:
Apple Watch Series 4 and later

Security-related fixes and updates:
At least 18 vulnerabilities were addressed in this update, all of them the same as those covered in the previously mentioned OS updates.

The full list of security issues that were addressed can be found here. To install this update, make sure your iPhone is up to date first, both your phone and watch are connected to the same Wi-Fi network, and the watch has at least a 50% charge. Then open the Watch app on your phone and tap General > Software Update.

watchOS 8 users spurned once again

Meanwhile, Apple has once again left users of Apple Watch Series 3—which Apple was still selling until mid-March 2023—out in the cold with no security updates.

Apple has only patched a single vulnerability for watchOS 8 in the past 12 months, providing little more than a false sense of security to Apple Watch Series 3 users.

tvOS 16.6

Available for:
Apple TV 4K (all models) and Apple TV HD

New Features

Security-related fixes and updates:
At least 13 vulnerabilities were addressed in this update, all of them the same as those covered in the previously mentioned OS updates.

The full list of security issues that were addressed can be found here.

audioOS 16.6

Apple’s rarely-mentioned audioOS (also known as HomePod Software, or HomePodOS) was also updated. Apple has never mentioned this operating system on its security updates page, so it is unclear whether any security issues were addressed in this week’s update. However, according to the Mr. Macintosh blog, which keeps track of OS version numbers, the audioOS build numbers match those of tvOS, which seems to imply that the HomePod runs essentially the same operating system as the Apple TV.

HomePod updates are generally not urgent, and they are supposed to install automatically. However, if you would like to update your HomePod or HomePod mini’s operating system manually, you can go into the Home app on your iPhone or iPad, then tap the House icon > Home Settings > Software Update > temporarily disable (toggle off) Install Updates Automatically > then tap Install. After updating, remember to re-enable the Install Updates Automatically setting.

Key takeaways

If you get nothing else out of this article, here are some key points:

All operating systems mentioned in this article received a fix for the new “actively exploited” kernel vulnerability identified as CVE-2023-38606. However, the actively exploited WebKit vulnerability known as CVE-2023-37450—which was originally addressed by the Rapid Security Response earlier this month—evidently remains unpatched in iOS 15.7.8 and iPadOS 15.7.8, as well as watchOS 8.8.1 (the latest watchOS available for the Apple Watch Series 3).

It is advisable to update to the latest operating systems as soon as you reasonably can, especially when Apple releases a Rapid Security Response or otherwise warns that there are “actively exploited” vulnerabilities in the wild. It’s important to get the benefits of new security fixes as quickly as possible to help you stay protected from hackers and malware.

If you have a Mac running macOS Monterey or Big Sur that’s compatible with Ventura, you may wish to update to the current Monterey or Big Sur version, and then as soon as practical, upgrade to macOS Ventura. Here’s why. Generally speaking, it is best to upgrade to the latest Apple OS versions quickly for security reasons. For maximum security, one cannot rely on any minimal security patches Apple may release for previous OS versions.

Apple’s Poor Patching Policies Potentially Make Users’ Security and Privacy Precarious

If your Mac does not officially support the latest macOS version, you may be able to upgrade it anyway.

How to Install macOS Ventura or Sonoma on Unsupported Macs, for Security Improvements

If your Mac is old, but if you’re unwilling to take the unofficial macOS upgrade route (or if your Mac is so old that it can’t even get macOS upgrades through unsupported means), and you absolutely have to use it online and accept the risks of doing so, you may want to consider using the Pale Moon browser rather than Safari. Pale Moon, a close relative of Firefox, works with macOS versions all the way back to OS X 10.7 Lion, and it continues to incorporate the latest Firefox security updates where applicable.

Whenever you’re preparing to update iOS, iPadOS, or macOS, always back up your data before installing any updates. This gives you a restore point if something does not go as planned.

See also our related article on how to check your macOS backups to ensure they work correctly.

How to Verify Your Backups are Working Properly

How can I learn more?

Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, including security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.

You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels:       

Share this: