On Wednesday this week, Apple released updates to all of its operating systems and Safari. Let’s take a look at what these updates have to offer in terms of security patches.
macOS Monterey 12.2
Apple’s latest Mac operating system update is available for all supported Macs currently running macOS Monterey.
The new macOS 12.2 includes bug fixes and security updates for your Mac and is recommended for all users. No new features were made available, but some bug fixes were included for enterprise users:
- Resolves an issue that prevented searching mail in Microsoft Outlook.
- Resolves an issue that prevented authenticating to a Windows print server with increased RPC authentication level.
- Resolves an issue opening websites while using an authenticated proxy with a Network Extension.
- Resolves an issue where Network Extensions may intermittently lose connectivity after long periods of use.
At least 13 security-related patches are included in this update, including but not limited to:
Impact: An application may be able to access a user’s files
Description: An issue existed within the path validation logic for symlinks. This issue was addressed with improved path sanitization.
Intel Graphics Driver
Impact: A malicious application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved memory handling.
Impact: A malicious application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.
Description: A memory corruption issue was addressed with improved input validation.
Impact: An application may be able to access restricted files
Description: A permissions issue was addressed with improved validation.
Impact: A website may be able to track sensitive user information
Description: A cross-origin issue in the IndexDB API was addressed with improved input validation.
Developers use IOMobileFrameBuffer to control how the memory handles the display. The security fix included in Monterey 12.2 (and other updates) addresses a memory corruption bug that allowed those with malicious intent to execute kernel-level code on a system under the right circumstances.
The WebKit Storage security fix addresses a vulnerability that allowed exploits to read your internet activity and even reveal your identity (as discussed in episode 223 of The Intego Mac Podcast). This bug has finally been addressed after having been reported about two months ago, in late November 2021. If you want to know if your older versions of Safari are vulnerable, you can use this test website.
For the full list of security patches included in Monterey 12.2, have a look here.
You can get this update by going to System Preferences > Software Update, where compatible Macs running macOS Mojave or newer will see the Monterey update appear. If your Mac is running High Sierra or older, look for macOS Monterey in the App Store and download it from there.
macOS Big Sur 11.6.3
Still on a regular point-release schedule, Big Sur has received another update. This update is listed as being “recommended for all users and improves the security of macOS.” It includes at least seven security patches. Most of them are the same as those seen in Monterey 12.2.
It is unclear why this update was another point-release and not a Security Update, as no new features were introduced. Before macOS Monterey, Apple used to keep the version numbers the same for the two previous operating systems, and the company would release numbered Security Updates for those OSes instead. Apple has continued this practice for Catalina, but has changed its practice for Big Sur now that it’s the “n minus 1” release of macOS.
The full list can be seen here, and the update is available in System Preferences > Software Update on your Mac.
Security Update 2022-001 Catalina
This update includes at least five security patches which you can read about on this page. They are the same patches that were made in the 11.6.3 Big Sur update, minus a few. The IOMobileFrameBuffer fix is not included in this update. It is unknown if Catalina is not vulnerable or if Apple chose not to address it for the now two-versions-old operating system. The update is available in System Preferences > Software Update on your Mac.
Made available as a separate download for macOS Catalina and Big Sur users, this update addresses at least four vulnerabilities, with one of them being the WebKit Storage fix.
The short list of fixes can be seen here. The update is available in System Preferences > Software Update on your Mac.
iOS 15.3 and iPadOS 15.3
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
iOS 15.3 is listed as an update that “includes bug fixes and security updates for your iPhone/iPad and is recommended for all users.”. At least ten security issues were fixed in this update, including the IOMobileFrameBuffer and WebKit Storage issues. The remaining patches are the same as those seen in the other OSes.
The full list of security issues that were addressed can be found here.
To install the latest iOS updates, go to Settings > General > Software Update on your device.
Available for: Apple Watch Series 3 and later
The new watchOS 8.4 update includes bug fixes, including a fix for “some chargers [not working] as expected.”
At least eight security patches are also included, most of them the same as those seen in the iOS and iPadOS updates. The full list can be found here.
To install this update, make sure your iPhone is up to date first, both your phone and watch are connected to the same Wi-Fi network, and the watch has at least a 50% charge. Then open the Watch app on your phone and tap General > Software Update.
This update includes general performance and stability improvements. This update includes at least nine security patches that are the same as those seen in the iOS, iPadOS, and watchOS updates.
The full list of security issues addressed can be found here. The tvOS update can be downloaded directly from the Apple TV by going to Settings > System > Update Software.
Although many of these updates seem relatively minor, they do include fixes for some fairly serious issues. Apple had little choice but to push these updates out fairly quickly. The IOMobileFrameBuffer vulnerability was thought to be actively exploited in the wild, and the WebKit Storage vulnerability could no longer be ignored, as FingerprintJS (the organization that discovered the vulnerability) decided to exert some pressure by telling the world all about it.
So while they may seem like small updates, they’re nevertheless important. You’ll want to install these pronto!
Whether you’re using iOS, iPadOS, or macOS, always back up your data before installing any updates. This gives you a restore point if something does not go as planned.
See also our related article on checking your macOS backups:
How can I learn more?
Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, security and privacy stories, and offer practical advice on getting the most out of your Apple devices.
You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: