On Thursday, May 18, Apple released updates to all of its operating systems. The updates included new features as well as security-related fixes—including for three “actively exploited” vulnerabilities.
Let’s take a look at the highlights of each update.
In this article:
Notably, every single operating system that was updated this week received patches for three “actively exploited” (i.e. in-the-wild) vulnerabilities in WebKit. Two of these were patched previously for only macOS Ventura, iOS 16, and iPadOS 16, as part of Apple’s first-ever Rapid Security Response update on May 1.
WebKit
Impact: A remote attacker may be able to break out of Web Content sandbox. Apple is aware of a report that this issue may have been actively exploited.
Description: The issue was addressed with improved bounds checks.
WebKit Bugzilla: 255350
CVE-2023-32409: Clément Lecigne of Google’s Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International’s Security Lab
Impact: Processing web content may disclose sensitive information. Apple is aware of a report that this issue may have been actively exploited.
Description: An out-of-bounds read was addressed with improved input validation.
WebKit Bugzilla: 254930
CVE-2023-28204: an anonymous researcher
This issue was first addressed in Rapid Security Response macOS 13.3.1 (a).
Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
Description: A use-after-free issue was addressed with improved memory management.
WebKit Bugzilla: 254840
CVE-2023-32373: an anonymous researcher
This issue was first addressed in Rapid Security Response macOS 13.3.1 (a).
All of the updates below include these three urgent patches. (Technically, macOS Monterey and Big Sur received these patches in the form of their separate Safari update.)
Available for:
All supported Macs currently running macOS Ventura
New features:
Enterprise:
Improvements and bug fixes:
Security-related fixes and updates:
At least 51 vulnerabilities were addressed in this update. Aside from the three actively exploited vulnerabilities mentioned above, here are some interesting ones:
Accessibility
Impact: Entitlements and privacy permissions granted to this app may be used by a malicious app
Description: This issue was addressed with improved checks.
CVE-2023-32400: Mickey Jin (@patch1t)
LaunchServices
Impact: An app may bypass Gatekeeper checks
Description: A logic issue was addressed with improved checks.
CVE-2023-32352: Wojciech Reguła (@_r3ggi) of SecuRing (wojciechregula.blog)
PackageKit
Impact: An app may be able to modify protected parts of the file system
Description: A logic issue was addressed with improved state management.
CVE-2023-32355: Mickey Jin (@patch1t)
Photos
Impact: Photos belonging to the Hidden Photos Album could be viewed without authentication through Visual Lookup
Description: The issue was addressed with improved checks.
CVE-2023-32390: Julian Szulc
Screen Saver
Impact: An app may be able to bypass Privacy preferences
Description: A permissions issue was addressed by removing vulnerable code and adding additional checks.
CVE-2023-32363: Mickey Jin (@patch1t)
Siri
Impact: A person with physical access to a device may be able to view contact information from the lock screen
Description: The issue was addressed with improved checks.
CVE-2023-32394: Khiem Tran
For the full list of security patches included in Ventura 13.4, have a look here.
Users of macOS Ventura can get this update by going to System Settings > General > Software Update.
If your Mac is running macOS Mojave, Catalina, Big Sur, or Monterey, and your Mac is compatible with macOS Ventura, you can upgrade to macOS Ventura by going to System Preferences > Software Update. If your Mac is running macOS High Sierra or older and is compatible with macOS Ventura, look for macOS Ventura in the Mac App Store and download it from there.
Available for:
All supported Macs currently running macOS Monterey
Security-related fixes and updates:
At least 29 vulnerabilities were addressed. They are a subset of the vulnerabilities addressed in the macOS Ventura update.
For the full list of security patches included in Monterey 12.6.6, have a look here.
You can get this update by going to System Preferences > Software Update.
Available for:
All supported Macs currently running macOS Big Sur
Security-related fixes and updates:
At least 25 vulnerabilities were addressed in this update, all of them the same as those addressed in the macOS Monterey and Ventura updates.
For the full list of security patches included in Big Sur 11.7.7, have a look here.
You can get this update by going to System Preferences > Software Update.
Available for:
macOS Big Sur and macOS Monterey.
This update addresses 5 WebKit issues, the same as those addressed in the macOS updates. Please keep in mind, macOS Big Sur and Monterey users will need to install Safari 16.5 to receive the vulnerability fixes for the potentially exploited vulnerabilities.
The short list of fixes can be seen here, and the update is available in System Preferences > Software Update on your Mac. It will pop up as an available update once macOS 12.6.6 or 11.7.7 has been installed.
Available for:
iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
New features & functionality:
Enterprise:
Improvements and bug fixes:
Security-related fixes and updates:
At least 39 44 vulnerabilities were addressed in this update, most of them the same as those addressed in the macOS updates. For iOS and iPadOS 16.5 the WebKit exploits have been addressed as well. Update: Apple added five additional vulnerabilities to the list on September 5, 2023.
The full list of security issues that were addressed can be found here. To get your hands on this latest update, connect your device to your Mac and follow the update prompts. You can also download these updates over the air by going to Settings > General > Software Update on your device.
Available for:
iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)
Security-related fixes and updates:
At least 17 vulnerabilities were addressed in this update—less than half the number of those addressed in iOS 16.5. Of particular concern, the iOS and iPadOS 15.7.6 updates only patch two of the three actively exploited WebKit vulnerabilities. Users whose devices are incapable of upgrading to iOS or iPadOS 16 should consider buying newer hardware that supports the current, and fully patched, operating systems.
The full list of security issues that were addressed can be found here. To get this latest update, connect your device to your Mac and follow the update prompts. You can also download these updates over the air by going to Settings > General > Software Update on your device.
Apple has not released a corresponding security update for older devices stuck on iOS 12. The most recent, and possibly final, security update for iOS 12 was released in January 2023, and it only patched a single vulnerability.
Again, users whose devices are incapable of upgrading to iOS or iPadOS 16 should consider buying newer hardware that supports the current, and fully patched, operating systems.
Available for:
Apple Watch Series 4 and later
Security-related fixes and updates:
At least 32 vulnerabilities were addressed in this update, all of them the same as those covered in the previously mentioned OS updates.
The full list of security issues that were addressed can be found here. To install this update, make sure your iPhone is up to date first, both your phone and watch are connected to the same Wi-Fi network, and the watch has at least a 50% charge. Then open the Watch app on your phone and tap General > Software Update.
Although this may be the last time we’ll mention it in one of these round-ups, there’s still no watchOS 8 security update for Apple Watch Series 3, which Apple still sold refurbished until March. For unknown reasons, Apple chose not to release watchOS 9 for this model. This put the device in an awkward state of limbo for eight months, while Apple still sold it, knowing it was dangerously vulnerable. It would appear at this point that Apple intends to leave this watch model in a perpetually vulnerable state.
The most recent update for watchOS 8 was in mid-August 2022, about a month before watchOS 9 came out. The most recent watchOS update that included security fixes came a month prior, in July 2022. (Concerningly, Apple chose not to patch two “actively exploited” vulnerabilities for watchOS 8.7.1 in its August patch cycle. However, both vulnerabilities were later patched in watchOS 9.0.) Now it has been 10 months since the Apple Watch Series 3 has gotten any security updates.
As we’ve mentioned before, simultaneous updates for watchOS versions would not be unprecedented. As recently as late 2020, Apple released simultaneous updates for two or three watchOS versions at a time, mainly to support older Apple Watch models.
It’s hard to understand how Apple could justify such seemingly negligent behavior regarding a product that it was still selling.
Intego has asked Apple multiple times for an update regarding watchOS 8 security updates for the Apple Watch Series 3, but Apple has continually neglected to respond to our inquiries. It’s quite evident at this point that Apple has no intention of releasing any further security updates for the watch it stopped selling two months ago.
Update: The month after this article was published, Apple released a patch for a single security vulnerability affecting watchOS 8—but continued to neglect to patch any of the other major vulnerabilities that have impacted watchOS 8 over the previous 11 months.
Apple gives Watch Series 3 users false sense of security, patching 1 vulnerability
Security-related fixes and updates:
At least 28 vulnerabilities were addressed in this update, all of them the same as those covered in the previously mentioned OS updates.
The full list of security issues that were addressed can be found here.
Apple’s rarely-mentioned audioOS (also known as HomePod Software, or HomePodOS) for HomePod mini also received an update. Apple has never mentioned this operating system on its security updates page, so it is unclear whether any security issues were addressed in this week’s update. However, according to the Mr. Macintosh blog, which keeps track of OS version numbers, the audioOS build numbers match those of tvOS, which seems to imply that the HomePod runs essentially the same operating system as the Apple TV.
HomePod updates are generally not urgent, and they are supposed to install automatically. However, if you would like to update your HomePod or HomePod mini’s operating system manually, you can go into the Home app on your iPhone or iPad, then tap the House icon > Home Settings > Software Update > temporarily disable (toggle off) Install Updates Automatically > then tap Install. After updating, remember to re-enable the Install Updates Automatically setting.
When Apple pushed out its first Rapid Security Responses (RSR) in early May, the company did not release any documentation about the contents of the updates.
Apple’s latest macOS, iOS, and iPadOS versions received an “(a)” addendum to their version numbers, namely macOS 13.3.1 (a), iOS 16.4.1 (a), iPadOS 16.4.1 (a).
With the release of Thursday’s updates, it has become clearer how Apple plans to document these RSRs going forward. Unless Apple changes course, the company apparently won’t give RSRs their own line items on the Apple security updates page. Instead, the release notes of future updates will mention which vulnerabilities were patched in an RSR.
Two of the three “actively exploited” WebKit vulnerabilities fixed this week note that “This issue was first addressed in Rapid Security Response macOS 13.3.1 (a)” or “iOS 16.4.1 (a) and iPadOS 16.4.1 (a)” on their respective security release notes pages.
While not knowing exactly what is being addressed at the time these RSRs roll out is uncomfortable for some, it is good to know that Apple does intend to document them later.
Receiving patches for your Mac, iPhone, or iPad weeks early is a nice benefit for those running the latest operating systems. On the other hand, it is a bit concerning that Apple Watch, which also gets text messages and displays Web content, does not get an RSR of its own.
If you get nothing else out of this article, here are some key points:
It is advisable to update to the latest operating systems as soon as you reasonably can, especially when Apple releases a Rapid Security Response or otherwise warns that there are “actively exploited” vulnerabilities in the wild. It’s important to get the benefits of new security fixes as quickly as possible to help you stay protected from hackers and malware.
If you have a Mac running macOS Monterey or Big Sur that’s compatible with Ventura, you may wish to update to the current Monterey or Big Sur version, and then as soon as practical, upgrade to macOS Ventura. Here’s why. Generally speaking, it is best to upgrade to the latest Apple OS versions quickly for security reasons. For maximum security, one cannot rely on any minimal security patches Apple may release for previous OS versions.
Apple’s Poor Patching Policies Potentially Make Users’ Security and Privacy Precarious
Whenever you’re preparing to update iOS, iPadOS, or macOS, always back up your data before installing any updates. This gives you a restore point if something does not go as planned.
See also our related article on how to check your macOS backups to ensure they work correctly.
You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: