Software & Apps

Update Now: Urgent fix for macOS Ventura 13.2.1, iOS 16.3.1 resolves major vulnerability

Posted on by

On Monday, Apple released security updates for its operating systems, primarily to address an “actively exploited” (i.e. zero-day, in-the-wild) vulnerability. These updates included macOS Ventura 13.2.1, iOS and iPadOS 16.3.1, and more.

In this article, we’ll examine what we know about the vulnerabilities that Apple mitigated, and why it’s important to update quickly.

Update: Apple released macOS Big Sur 11.7.4 on Wednesday, noting that “This update has no published CVE entries.” A new section with additional details has been added below.

In this article:

Apple addresses zero-day vulnerability

First let’s take a look at the zero-day vulnerability that Apple addressed for multiple operating systems. Apple says of the update:

WebKit
Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
Description: A type confusion issue was addressed with improved checks.
WebKit Bugzilla: 251944
CVE-2023-23529: an anonymous researcher

The vulnerability was mitigated in macOS Ventura 13.2.1, iOS 16.3.1, iPadOS 16.3.1, and Safari 16.3.1 for macOS Monterey and macOS Big Sur.

Notably, Apple has not yet released a corresponding patch for iOS 15 or iPadOS 15. This is significant, because many people still use iPhones and iPads that cannot be upgraded to iOS 16 or iPadOS 16. Additionally, the iPod touch (7th generation), which had just barely been discontinued in May 2022 before iOS 16 was announced in June, cannot be upgraded to iOS 16, either.

Although Apple also patched vulnerabilities in tvOS 16 and watchOS 9 this week, Apple has yet to release the details about what was patched in those updates, so it is not yet clear whether those operating systems were affected or received patches for this WebKit vulnerability.

Little information is publicly available about the vulnerability. The WebKit Bugzilla issue only allows “authorized” users to access it and see the details. So far, MITRE and NIST have not published any details about the CVE. Given that the vulnerability was reported anonymously, and that Apple acknowledged The Citizen Lab in its iOS update details, there is some speculation within the security community that this vulnerability may have been used by Pegasus or other commercial spyware often used by governments and law enforcement agencies. However, this possible connection has not been confirmed.

Intego has reached out to Apple to inquire whether the vulnerability impacts tvOS, watchOS, or previous versions of iOS and iPadOS. Based on Apple’s track record, we do not anticipate that Apple will respond to our (or any journalist’s) inquiries about this matter.

Before this week, the most recent “actively exploited” vulnerability that Apple patched was a similar-sounding WebKit issue, also related to the processing of “maliciously crafted web content.” Apple patched that vulnerability, CVE-2022-42856, on December 13, 2022 for macOS Ventura, Monterey, and Big Sur, for iOS and iPadOS 16 and 15, and for tvOS 16. Notably, the patch was not among those listed in watchOS 9.2’s security release notes; Apple never confirmed to Intego whether the vulnerability impacted watchOS. Apple later patched the same vulnerability for iOS 12 on January 23, 2023.

macOS Ventura 13.2.1

Available for:
All supported Macs currently running macOS Ventura

Security updates:
At least three vulnerabilities were addressed in this update. Apple’s page with macOS Ventura 13.2.1’s security details currently mentions the WebKit vulnerability detailed above, and two others:

Kernel
Impact: An app may be able to execute arbitrary code with kernel privileges
Description: A use after free issue was addressed with improved memory management.
CVE-2023-23514: Xinru Chi of Pangu Lab, Ned Williamson of Google Project Zero

 

Shortcuts
Impact: An app may be able to observe unprotected user data
Description: A privacy issue was addressed with improved handling of temporary files.
CVE-2023-23522: Wenchao Li and Xiaolong Bai of Alibaba Group

Users of macOS Ventura can get this update by going to System Settings > General > Software Update.

If your Mac is running macOS Mojave, Catalina, Big Sur, or Monterey, and your Mac is compatible with macOS Ventura, you can upgrade to macOS Ventura by going to System Preferences > Software Update. If your Mac is running macOS High Sierra or older and is compatible with macOS Ventura, look for macOS Ventura in the App Store and download it from there.

macOS Monterey — no security updates yet

Apple has not yet released any security updates specifically for macOS Monterey this week, other than a separate Safari update (detailed below) that addresses the aforementioned WebKit vulnerability.

As a reminder, Apple is no longer patching every security vulnerability that affects macOS Monterey. Apple’s policy is that “not all known security issues are addressed in previous versions.” We advise users to upgrade to macOS Ventura if your Mac supports it—or even on an unsupported Mac, at your own risk.

macOS Big Sur 11.7.4

Available for:
All Macs currently running macOS Big Sur

Improvements and bug fixes:
According to MacRumors, the Big Sur update “addresses an ongoing issue with Safari [Favorites] icons.” Apple had not yet published details about the update on its What’s new in the updates for macOS Big Sur support page at the time we last updated this article. However, the Safari icon issue is not mentioned in the Apple Software Update description of the patch.

Security updates:
Apple Software Update claims that “This update provides important security fixes and is recommended for all users.” However, the Apple security updates support page only states that “This update has no published CVE entries.”

This is not necessarily a contradiction; it’s possible that Apple may have addressed security issues for which no CVE number has been assigned. However, the lack of a corresponding security update for macOS Monterey—the operating system that came in between Big Sur and Ventura—certainly seems odd.

The WebKit vulnerability was addressed in a separate Safari update for macOS Big Sur users (see below).

If you have a Mac running macOS Big Sur, you can get this update by going to System Preferences > Software Update.

As a reminder, Apple is no longer patching every security vulnerability that affects macOS Big Sur. Apple’s policy is that “not all known security issues are addressed in previous versions.” We advise users to upgrade to macOS Ventura if your Mac supports it—or even on an unsupported Mac, at your own risk.

Safari 16.3.1 for macOS Monterey and Big Sur

Available for:
macOS Monterey and macOS Big Sur

As of today, Apple only mentions the single WebKit issue mentioned above in its list of fixes for Safari 16.3.1.

Notably, Apple mistakenly re-released this patch as Safari 16.3 in Software Update. If you’re running macOS Monterey or Big Sur, you can confirm whether you have the latest version by opening Safari, clicking on the Safari menu next to the Apple menu, then clicking on About Safari. After installing this patch, the version will be listed as “Version 16.3 (177614.4.6.11.6)” if your Mac is running Monterey, or “Version 16.3 (167614.4.6.11.6)” if your Mac is running Big Sur.

The update is available in System Preferences > Software Update on your Mac.

iOS 16.3.1 and iPadOS 16.3.1

Available for:
iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Security updates:
At least two vulnerabilities were addressed in this update: the WebKit and Kernel vulnerabilities listed above. Apple also acknowledged “The Citizen Lab at The University of Toronto’s Munk School for their assistance” with unspecified security issues.

The full list of security issues that were addressed can be found here. To get the update over the air, go to Settings > General > Software Update on your device.

iOS 15 and iPadOS 15 — no security updates yet

In recent years, Apple has released patches for “actively exploited” vulnerabilities for previous versions of iOS, specifically for hardware that cannot support the current operating system. However, Apple sometimes waits days, weeks, or even months before patching previous OS versions.

So far, Apple has not yet released a corresponding patch for iOS 15 or iPadOS 15 to address the actively exploited WebKit vulnerability. Those who still use devices that cannot be upgraded to iOS 16 or iPadOS 16, including the iPod touch (7th generation), presumably remain vulnerable for the time being. Intego has reached out to Apple to confirm whether the WebKit vulnerability impacts previous versions of iOS and iPadOS, and when we can expect a patch. Update: Apple finally patched this vulnerability more than a month later, in iOS and iPadOS 15.7.4.

watchOS 9.3.1

Available for:
Apple Watch Series 4 and later

Security updates:
Apple released watchOS 9.3.1 on Monday, but so far the company has not released any details about which security vulnerabilities it addresses. For now, the Apple security updates page simply says, “details available soon.”

To install this update, make sure your iPhone is up to date first, both your phone and watch are connected to the same Wi-Fi network, and the watch has at least a 50% charge. Then open the Watch app on your phone and tap General > Software Update.

watchOS 8 — still no security updates for seven months

Meanwhile, there’s still no word on when (or if) Apple Watch Series 3—which Apple still sells refurbished—will get watchOS 8 security updates. Apple has, for unknown reasons, chosen not to release watchOS 9 for this model, putting the device in an awkward state of limbo.

The most recent security update for watchOS 8 was in July 2022, about two months before watchOS 9 came out. That means it has been nearly seven months since the Apple Watch Series 3 has gotten any security updates.

As we’ve mentioned previously, simultaneous updates for watchOS versions would not be unprecedented. As recently as late 2020, Apple released simultaneous updates for two or three watchOS versions at a time, mainly to support older Apple Watch models.

It’s hard to understand how Apple can justify such seemingly negligent behavior regarding any product that it’s still selling.

Intego has asked Apple multiple times since October for an update regarding watchOS 8 security for the Apple Watch Series 3, but Apple has neglected to respond to our inquiries.

tvOS 16.3.2

Available for:
Apple TV 4K (all generations), and Apple TV HD (aka 4th generation)

Security-related fixes and updates:

Apple released tvOS 16.3.2 on Monday, but so far the company has not released any details about which security vulnerabilities it addresses. For now, the Apple security updates page simply says, “details available soon.”

This update comes just a week after tvOS 16.3.1, for which Apple has not published any security details. Apple said that tvOS 16.3.1 “has no published CVE entries,” although this does not necessarily mean that no security issues were addressed.

The tvOS update can be downloaded directly from the Apple TV by going to Settings > System > Update Software.

Key takeaways

If you get nothing else out of this article, here are some key points:

  • Apple released a bunch of updates this week, including mitigations for a vulnerability that has been actively exploited in the wild; check for and install updates on all your Apple devices!
  • At this point, macOS Ventura, iOS 16, and iPadOS 16 are the only safe operating systems to use on Macs, iPhones, and iPads, respectively.
    • If you have a Mac for which Apple doesn’t officially support Ventura, you may be able to upgrade it anyway.
    • If you have an older iPhone or iPad that isn’t compatible with 16.x, or any iPod touch, buying a new device is the safest option.
  • Don’t buy an Apple Watch Series 3. Apple has not been providing security updates for it for seven months now, even though the company continues to sell it.

It is advisable to update to the latest operating systems as soon as you reasonably can. It’s important to get the benefits of new security fixes as quickly as possible to help you stay protected.

If you have a Mac running macOS Monterey or Big Sur that’s compatible with Ventura, you may wish to update to the new Monterey or Big Sur version, and then as soon as practical, upgrade to macOS Ventura. Here’s why. Generally speaking, it is best to update to the latest Apple OS versions quickly for security reasons. For maximum security, one cannot rely on any minimal security patches Apple may release for previous OS versions.

Apple’s Poor Patching Policies Potentially Make Users’ Security and Privacy Precarious

Whenever you’re preparing to update iOS, iPadOS, or macOS, always back up your data before installing any updates. This gives you a restore point if something does not go as planned.

See also our related article on checking your macOS backups:

How to Verify Your Backups are Working Properly

How can I learn more?

Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, including security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.

You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: Follow Intego on Twitter Follow Intego on Facebook Follow Intego on YouTube Follow Intego on Pinterest Follow Intego on LinkedIn Follow Intego on Instagram Follow the Intego Mac Podcast on Apple Podcasts

About Joshua Long

Joshua Long (@theJoshMeister), Intego's Chief Security Analyst, is a renowned security researcher, writer, and public speaker. Josh has a master's degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple ID authentication vulnerability. Josh has conducted cybersecurity research for more than 25 years, which has often been featured by major news outlets worldwide. Look for more of Josh's articles at security.thejoshmeister.com and follow him on Twitter/X, LinkedIn, and Mastodon. View all posts by Joshua Long →