Urgent Patches: macOS Ventura 13.3.1, iOS 16.4.1 fix 2 actively exploited vulns (UPDATED)
Posted on by Joshua Long
On Friday, April 7, Apple released emergency security updates for macOS Ventura, iOS 16 and iPadOS 16, and Safari to address two “actively exploited” (zero-day, in the wild) vulnerabilities.
On Monday, April 10, Apple released additional patches for macOS Monterey, macOS Big Sur, iOS 15 and iPadOS 15 to address the same vulnerabilities.
Let’s examine what we know about the two vulnerabilities that Apple mitigated.
In this article:
- macOS Ventura 13.3.1, iOS 16.4.1, and iPadOS 16.4.1
- Safari 16.4.1 for macOS Monterey and Big Sur
- NEW macOS Monterey 12.6.5 and macOS Big Sur 11.7.6
- NEW iOS 15.7.5 and iPadOS 15.7.5
- Key takeaways
- How can I learn more?
macOS Ventura 13.3.1, iOS 16.4.1, and iPadOS 16.4.1
What was fixed in macOS Ventura 13.3.1 and iOS/iPadOS 16.4.1?
Two highly critical vulnerabilities were addressed in this update:
IOSurfaceAccelerator
Impact: An app may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.
Description: An out-of-bounds write issue was addressed with improved input validation.
CVE-2023-28206: Clément Lecigne of Google’s Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International’s Security Lab
WebKit
Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
Description: A use after free issue was addressed with improved memory management.
WebKit Bugzilla: 254797
CVE-2023-28205: Clément Lecigne of Google’s Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International’s Security Lab
WebKit is the page-rendering engine used by Safari and other components of Apple operating systems. Third-party apps also use WebKit to render HTML content.
There aren’t yet any additional details about the vulnerabilities on the MITRE or NIST databases, and there are no clear connections yet on the Google TAG or Amnesty International blogs, but more details might be forthcoming:
- MITRE: CVE-2023-28205 • NIST: CVE-2023-28205
- MITRE: CVE-2023-28206 • NIST: CVE-2023-28206
- Google TAG Blog • Amnesty International Tech Blog
Apple links to the details of the security patches included in macOS Ventura 13.3.1 and iOS 16.4.1 and iPadOS 16.4.1 on the Apple security updates page on its site.
As of early Friday there was no word yet on whether Ventura 13.3.1 had also fixed the bug that Apple reportedly introduced in 13.3 that affects users whose Home folder is stored on an external drive. Users with this uncommon configuration have reported receiving the message, “You are unable to log into the user account ‘[username]’ at this time. Logging into the account failed because an error occurred.” If you don’t have your Home directory on an external storage device, then you don’t need to worry about this bug; it’s important to install the latest macOS Ventura update to address the aforementioned critical security vulnerabilities. UPDATE: Macworld later reported that this issue was indeed fixed in macOS Ventura 13.3.1.
Early on Monday, April 10, security researcher Linus Henze released proof-of-concept code demonstrating how to exploit CVE-2023-28206. In part, this means that threat actors that had not already been aware of the vulnerability before Apple patched it, and had not yet reverse-engineered Apple’s Friday patches, can now more easily exploit the vulnerability on unpatched systems. Therefore, it’s even more urgent to install the updates, as there is an increased risk of more widespread exploitation in the wild.
How to update to macOS Ventura 13.3.1
Macs running macOS Ventura can get this update by going to System Settings > General > Software Update.
If your Mac is still running macOS Mojave, Catalina, Big Sur, or Monterey, and your Mac is compatible with macOS Ventura, you can upgrade to macOS Ventura by going to System Preferences > Software Update. If your Mac is running macOS High Sierra or older and is compatible with macOS Ventura, look for macOS Ventura in the Mac App Store and download it from there.
For optimal security, we advise all Mac users to upgrade to macOS Ventura if your Mac supports it—or you may even be able to run macOS Ventura on an unsupported Mac, at your own risk.
How to update to iOS 16.4.1 or iPadOS 16.4.1
Some devices cannot be upgraded to version 16.x, due to Apple dropping support for several iPhone and iPad models, as well as the final model of iPod touch. For those older devices, it’s best to update to 15.7.5 for now, and replace the devices with 16.x-compatible hardware as soon as possible for optimal security.
If you have an iPhone or iPad that’s compatible with iOS 16 or iPadOS 16, the new 16.4.1 update can be obtained by going to Settings > General > Software Update on your device.
Safari 16.4.1 for macOS Monterey and Big Sur
A corresponding Safari 16.4.1 update for macOS Monterey and macOS Big Sur was also released.
However, the Safari update only addresses one of the two vulnerabilities, namely CVE-2023-28205, the WebKit issue.
It isn’t yet known whether or not The other vulnerability, CVE-2023-28206, also affects macOS Monterey and Big Sur; if so, the two older Mac operating systems may remain remained vulnerable over the weekend. This was not an unprecedented occurrence; Apple frequently leaves previous macOS versions not fully patched. UPDATE: Apple released additional updates for macOS Monterey and Big Sur on Monday, April 10; see below.
Nice work, all! 👏 Can you please comment on whether CVE-2023-28206 also affects macOS Monterey or Big Sur (which were not patched today)?
— Josh Long (the JoshMeister) (@theJoshMeister) April 7, 2023
If we get an answer to this question, we’ll be sure to update this article accordingly. UPDATE: See below.
You can see the details of Safari 16.4.1 on Apple’s security updates page.
The Safari update is available via System Preferences > Software Update on applicable Macs. However, as mentioned earlier, it’s much safer to upgrade to macOS Ventura rather than to partially patch a previous macOS version.
macOS Monterey 12.6.5 and macOS Big Sur 11.7.6
On Monday, April 10, Apple released macOS Monterey 12.6.5 and macOS Big Sur 11.7.6 to address the second actively exploited vulnerability, CVE-2023-28206.
Nevertheless, because Apple is no longer patching every security vulnerability that affects macOS Monterey or macOS Big Sur; Apple’s policy is that “not all known security issues are addressed in previous versions.” We advise users to upgrade to macOS Ventura if your Mac supports it. You may even be able to upgrade an unsupported Mac to macOS Ventura, at your own risk.
You can get this update by going to System Preferences > Software Update.
iOS 15.7.5 and iPadOS 15.7.5
On Monday, April 10, Apple released iOS 15.7.5 and iPadOS 15.7.5 to address both of the aforementioned actively exploited vulnerabilities.
Approximately 18% of all iOS or iPadOS devices are currently running version 15.x, according to the latest data from StatCounter. Many of those devices likely cannot be upgraded to version 16.x, due to Apple dropping support for several iPhone and iPad models, as well as the final model of iPod touch.
If your device is capable of running iOS/iPadOS 16, be sure to upgrade to the latest version as soon as possible. Don’t stay behind on iOS/iPadOS 15; they’re significantly less secure, and it’s important to upgrade quickly to avoid leaving yourself at risk.
If, however, your device is stuck with iOS/iPadOS 15 and you can’t yet upgrade to newer hardware that supports iOS/iPadOS 16, you can at least mitigate some known vulnerabilities by updating to 15.7.5 over the air via Settings > General > Software Update.
Key takeaways
If you get nothing else out of this article, here are some key points:
- Apple has released urgent security updates over the past few days; check for and install updates on your Macs, iPhones, and iPads!
- At this point, macOS Ventura, iOS 16, and iPadOS 16 are the only safe operating systems to use on Macs, iPhones, and iPads, respectively.
- If you have a Mac for which Apple doesn’t officially support Ventura, you may be able to upgrade it anyway.
- If you have an older iPhone or iPad that isn’t compatible with 16.x, or any iPod touch, buying a new device is the safest option.
It is advisable to update to the latest operating systems as soon as you reasonably can, especially when Apple warns that there are “actively exploited” vulnerabilities in the wild. It’s important to get the benefits of new security fixes as quickly as possible to help you stay protected from hackers and malware.
If you have a Mac running macOS Monterey or Big Sur that’s compatible with Ventura, you may wish to update to the current Monterey or Big Sur version, and then as soon as practical, upgrade to macOS Ventura. Here’s why. Generally speaking, it is best to upgrade to the latest Apple OS versions quickly for security reasons. For maximum security, one cannot rely on any minimal security patches Apple may release for previous OS versions.
Apple’s Poor Patching Policies Potentially Make Users’ Security and Privacy Precarious
Whenever you’re preparing to update iOS, iPadOS, or macOS, always back up your data before installing any updates. This gives you a restore point if something does not go as planned.
See also our related article on how to check your macOS backups to ensure they work correctly.
How can I learn more?
Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, including security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.
You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: