The Mac Security Blog

Security & Privacy + Security News

Apple releases macOS Ventura 13.1, iOS 16.2, and more; fixes zero-day vuln

Posted on by

On Tuesday, December 13, Apple released updates for its operating systems. These included iOS and iPadOS 16.2 as well as macOS Ventura 13.1, introducing new features as well as bug and security fixes. An “actively exploited” (i.e. zero-day, in-the-wild) vulnerability was fixed for most operating systems.

Let’s take a look at some of the new features, bug fixes, and security patches included in these updates.

In this article:

Apple addresses zero-day vulnerability

First let’s take a look at the zero-day vulnerability that Apple addressed for multiple operating systems. Apple says of the update:

WebKit
Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.1.
Description: A type confusion issue was addressed with improved state handling.
CVE-2022-42856: Clément Lecigne of Google’s Threat Analysis Group

Thirteen days earlier, Apple addressed this vulnerability in iOS 16.1.2, released on November 30. It was the only security issue that Apple has (so far) indicated was addressed in that update. Strangely, iPadOS didn’t receive an update at the time, and the release notes for this week’s iPadOS 16.2 update do not list this vulnerability as having been addressed.

However, several other operating systems received a fix for this vulnerability in this Tuesday’s patch update cycle:

  • macOS Ventura 13.1
  • macOS Monterey and macOS Big Sur (addressed in Safari 16.2)
  • iOS 15.7.2 and iPadOS 15.7.2
  • tvOS 16.2

For unknown reasons, the following operating systems are absent from that list:

  • iPadOS 16.2  Update: Apple acknowledged on December 22 that iPads received this fix in iPadOS 16.2.
  • watchOS 9.2
  • watchOS 8.7.x for Apple Watch Series 3 (which Apple still sells refurbished)
  • Windows (not addressed in iCloud for Windows 14.1, which was also released this week and addressed three other vulnerabilities, including two in WebKit)

It is unclear why these operating systems seemingly remain unpatched. Perhaps the vulnerability does not exist on these operating systems, or perhaps it exists but Apple does not believe it is exploitable. Or perhaps the issue was addressed but Apple just neglected to mention it. Alternatively, perhaps these operating systems remain vulnerable. Any of these scenarios is plausible.

Intego has reached out to Apple for comment. If Apple replies, this article will be updated with the company’s response. Update: Apple publicly acknowledged on December 22 that iPads received this fix in iPadOS 16.2. However, Apple has not yet responded regarding whether watchOS or Windows systems remain vulnerable.

macOS Ventura 13.1

Available for:
Mac Studio (2022), Mac Pro (2019 and later), MacBook Air (2018 and later), MacBook Pro (2017 and later), Mac mini (2018 and later), iMac (2017 and later), MacBook (2017), and iMac Pro (2017)

New features:

  • Freeform, a new app for working creatively with friends or colleagues on Mac, iPad, and iPhone
  • Advanced Data Protection for iCloud, an opt-in feature that can enable end-to-end encryption for more iCloud data categories on all devices associated with your Apple ID

Enterprise:

Enterprise users see the welcome return of Network Locations, reliability improvements when using DHCPv6, a resolution for an issue causing printers to be removed after a software update, and more.

Improvements and bug fixes:

  • Improved search in Messages allows you to find photos based on their content, like a dog, car, person, or text
  • Participant Cursors in Notes allow you to see live indicators as others make updates in a shared note
  • Play sound in Find My app can now help you pinpoint the location of nearby AirTags, AirPods Pro (2nd generation) case, and Find My network accessories
  • Fixes an issue that causes some notes not to sync with iCloud after updates are made
  • Fixes an issue where you may lose keyboard and mouse input in some apps and games

Security-related fixes and updates:
At least 36 vulnerabilities were addressed in this update. Here are a few notable ones:

Accounts
Impact: A user may be able to view sensitive user information
Description: This issue was addressed with improved data protection.

 

AppleMobileFileIntegrity, CoreServices and Printing
Impact: An app may be able to bypass Privacy preferences
Description: This issue was addressed by enabling hardened runtime.

 

Kernel
Impact: An app may be able to break out of its sandbox
Description: This issue was addressed with improved checks.

 

Safari
Impact: Visiting a website that frames malicious content may lead to UI spoofing
Description: A spoofing issue existed in the handling of URLs. This issue was addressed with improved input validation.

Of the 36 identified fixes, five are for the kernel (the core of the OS) and 10 are for WebKit (the page-rendering engine used by Safari and other apps). This includes the vulnerability mentioned above that may have been actively exploited. The complete list can be seen here.

This may also be the first version of macOS Ventura that supports Rapid Security Responses, which Apple describes as “a mechanism for shipping security fixes to users more frequently,” but this has not yet been confirmed.

You can get this new macOS update by going to System Preferences > Software Update, where compatible Macs running macOS Mojave or newer will see the Ventura update appear. If your Mac is running macOS High Sierra or older, look for macOS Ventura in the App Store and download it from there.

macOS Monterey 12.6.2

Available for:
All supported Macs currently running macOS Monterey

Security-related fixes and updates:
At least 13 vulnerabilities were addressed in this update, most of which were also addressed in macOS Ventura 13.1. For the full list of security patches included in Monterey 12.6.2, have a look here.

One notable vulnerability, which Apple disclosed as previously having been silently patched in macOS Ventura 13, was also addressed for both macOS Monterey 12.6.2 and macOS Big Sur 11.7.2:

BOM
Impact: An app may bypass Gatekeeper checks
Description: A logic issue was addressed with improved checks.
CVE-2022-42821: Jonathan Bar Or of Microsoft

For additional details about the Gatekeeper bypass vulnerability, see our featured article about it.

Microsoft discovers new Gatekeeper bypass; Apple updates past security advisories

You can get this update by going to System Preferences > Software Update, where compatible Macs running macOS Mojave or newer will see the Monterey update appear.

macOS Big Sur 11.7.2

Available for:
All supported Macs currently running macOS Big Sur

Security-related fixes and updates:
At least 10 vulnerabilities were addressed in this update, including the aforementioned BOM vulnerability that could be used to bypass Gatekeeper. All of the vulnerabilities addressed in this Big Sur update were also addressed in macOS Monterey 12.6.2. For the full list of security patches included in macOS Big Sur 11.7.2, have a look here.

You can get this update by going to System Preferences > Software Update, where compatible Macs running macOS Mojave or newer will see the Monterey update appear.

Safari 16.2

Available for:
macOS Monterey and macOS Big Sur

This update addresses the aforementioned 10 WebKit issues fixed in macOS Ventura 13.1, including the one that may have been actively exploited. This Safari update will protect Macs on the latest versions of Monterey and Big Sur from this particular vulnerability. The list of fixes can be seen here.

Safari 16.2 is available in System Preferences > Software Update on Macs running either macOS Monterey or Big Sur. It will appear as an available update once macOS Monterey 12.6.2 or Big Sur 11.7.2 has been installed.

iOS 16.2 and iPadOS 16.2

Available for:
iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

New features:

  • Apple Music Sing, a new way to sing along with millions of your favorite songs in Apple Music, with fully adjustable vocals and newly enhanced beat-by-beat lyrics
  • Freeform, the app mentioned above as part of the macOS Ventura update, is also available for iOS and iPadOS
  • Advanced Data Protection for iCloud is now an opt-in setting for your Apple ID, as mentioned above
  • New lock screen settings allow you to hide wallpaper or notifications when Always-On display is enabled on iPhone 14 Pro and iPhone 14 Pro Max and introduces new widgets
  • SharePlay support in Game Center and a new Activity widget
  • Live Activities for Apple TV app
  • Improved reliability and efficiency of communication between your smart home accessories and Apple devices

Enterprise:
Enterprise users receive MDM improvements and bug fixes for Siri as well as 802.1X issues. For the full details, have a look here.

Improvements and bug fixes:

  • Improved search in Messages, Participant Cursors in Notes, and a fix for an issue that causes some notes not to sync with iCloud, are all addressed as with macOS Ventura 13.1
  • Reload and Show IP Address setting enables iCloud Private Relay users to temporarily disable the service for a specific site in Safari
  • News articles in Weather display information relevant to the weather in that location
  • AirDrop now automatically reverts to Contacts Only after 10 minutes to prevent unwanted requests to receive content
  • Crash Detection optimizations on iPhone 14 and iPhone 14 Pro models

Security-related fixes and updates:
At least 35 vulnerabilities were addressed in this update. Here are a few notable ones that are not already covered in the macOS updates:

AppleAVD
Impact: Parsing a maliciously crafted video file may lead to kernel code execution
Description: An out-of-bounds write issue was addressed with improved input validation.

 

Graphics Driver
Impact: Parsing a maliciously crafted video file may lead to unexpected system termination
Description: The issue was addressed with improved memory handling.

 

iTunes Store
Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution
Description: An issue existed in the parsing of URLs. This issue was addressed with improved input validation.

 

Weather
Impact: An app may be able to read sensitive location information
Description: The issue was addressed with improved handling of caches.

The full list of security issues that were addressed can be found here. To get your hands on this latest update, connect your device to your Mac and follow the update prompts. You can also download these updates over the air by going to Settings > General > Software Update on your device.

iOS 15.7.2 and iPadOS 15.7.2

Available for:
iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Security-related fixes and updates:
At least 17 vulnerabilities were addressed in this update, most of which were included in iOS/iPadOS 16.2. The full list of security issues that were addressed can be found here.

To get this latest update, connect your device to your Mac and follow the update prompts. You can also download these updates over the air by going to Settings > General > Software Update on your device.

iOS 12: No security updates

Not surprisingly, iOS 12 did not receive a security update today.

We mentioned back in August that it wasn’t yet clear whether old devices stuck on iOS 12 would continue to get security updates after the release of iOS 16 and iPadOS 16. Apple never responded to our inquiries, but the lack of iOS 12 updates since the release of iOS 16 in September—during which time several actively exploited vulnerabilities have evidently remained unpatched on iOS 12—seems to be our answer.

If you still use a device that cannot be upgraded to iOS 16 (for example, an iPhone 6 which is stuck with iOS 12, or an iPhone 6s which is stuck with iOS 15), from a security perspective it’s best to replace the hardware as soon as practical.

watchOS 9.2

Available for:
Apple Watch Series 4 and later

New features:

  • Outdoor Run workout now automatically detects when you arrive at a running track and provides track specific metrics (United States only)
  • Race Route lets you compete against your previous performance in Outdoor Run, Outdoor Cycle, and Outdoor Wheelchair Workouts
  • New custom Kickboxing algorithm in the Workout app for more accurate metrics
  • Noise app displaying when environmental sound levels are reduced now available with AirPods Pro (1st generation) and Airpods Max when using active noise cancellation
  • Family Setup users can be invited to the Home app to control HomePod speakers and smart home accessories, and unlock doors with home keys in Wallet
  • Accessibility support to visualize when Siren is in use on Apple Watch Ultra

Improvements and bug fixes:

  • Improved response time and accuracy of hand gesture controls for AssistiveTouch and Quick Actions
  • Crash Detection optimizations on Apple Watch Ultra, Apple Watch Series 8, and Apple Watch SE (2nd generation)
  • Fix for bug that causes display of incorrect watch time immediately after dismissing an alarm in Sleep Focus
  • Fix for bug causing interruptions to mindfulness sessions

Security-related fixes and updates:
At least 25 vulnerabilities were addressed in this update, all of which were included in iOS/iPadOS 16.2.

To install this update, make sure your iPhone is up to date first, both your phone and watch are connected to the same Wi-Fi network, and the watch has at least a 50% charge. Then open the Watch app on your phone and tap General > Software Update.

watchOS 8: No security updates

The Apple Watch Series 3 is incompatible with watchOS 9. Apple was still selling new Series 3 units in its online store until the Series 8 and Ultra models were announced on September 7. To this day, more than three months since the release of watchOS 9, Apple continues to sell refurbished Series 3 Apple Watch units online. Meanwhile, exactly zero watchOS 8 updates have been made available for this model.

Simultaneous updates for watchOS versions would not be unprecedented. As recently as late 2020, Apple released simultaneous updates for two or three watchOS versions at a time, mainly to support older Apple Watch models.

Intego inquired of Apple back in October whether security updates for the Series 3 were forthcoming, but we never received any response. We followed up with Apple again today. If Apple responds, this article will be updated accordingly.

tvOS 16.2

Available for:
Apple TV 4K (all generations), and Apple TV HD (aka 4th generation)

New features:

Siri

  • Get personalized recommendations, play your favorite music, and more at any time with Recognize My Voice support for up to six different family members. Try “What should I watch?” “Play my music,” or “Switch to my profile.”
  • Set your Siri language to be different from the one your Apple TV displays. Go to Settings > General > Siri Language.
  • Now includes language support for Danish in Denmark, French and German in Luxembourg, and English in Singapore to help you find shows, music, and more using just your voice.

Apple Music

  • Sing along to your favorites with beat-by-beat, real-time lyrics.
  • Control the vocal volume on millions of songs with Apple TV 4K (3rd generation).

Security-related fixes and updates:
At least 28 vulnerabilities were addressed in this update, all of which were covered in iOS/iPadOS 16.2, with one addition: the “actively exploited” WebKit vulnerability that was previously fixed in iOS 16.1.2.

audioOS 16.2

Apple’s rarely-mentioned audioOS (also known as HomePod Software, or HomePodOS) for HomePod mini also received an update. Apple has never mentioned this operating system on its security updates page, so it is unclear whether any security issues were addressed in this week’s update.

HomePod updates are generally not urgent, and they are supposed to install automatically. However, if you would like to update your HomePod or HomePod mini’s operating system manually, you can go into the Home app on your iPhone or iPad, then tap the House icon > Home Settings > Software Update > temporarily disable (toggle off) Install Updates Automatically > then tap Install. After updating, remember to re-enable the Install Updates Automatically setting.

Key takeaways

Whenever an Apple update addresses an “actively exploited” security issue, it is important to install the update as soon as you can. Thus, you should definitely prioritize installing this week’s macOS Ventura, iOS, and iPadOS updates.

If you have a Mac running Monterey or Big Sur that’s compatible with Ventura, you may wish to update to the new Monterey or Big Sur version, and then as soon as practical, upgrade to macOS Ventura. Here’s why. Generally speaking, it is best to update to the latest Apple OS versions quickly for security reasons. For maximum security, one cannot rely on any minimal security patches Apple may release for previous OS versions.

Apple’s Poor Patching Policies Potentially Make Users’ Security and Privacy Precarious

Whenever you’re preparing to update iOS, iPadOS, or macOS, always back up your data before installing any updates. This gives you a restore point if something does not go as planned.

See also our related article on checking your macOS backups:

How to Verify Your Backups are Working Properly

How can I learn more?

For additional details about the Gatekeeper bypass vulnerability, as well as several additional vulnerabilities that Apple didn’t mention on December 13 and added to the release notes on December 22, see our follow-up article.

Microsoft discovers new Gatekeeper bypass; Apple updates past security advisories

Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.

We talked about Apple’s latest operating system updates on episode 270:

You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: Follow Intego on Twitter Follow Intego on Facebook Follow Intego on YouTube Follow Intego on Pinterest Follow Intego on LinkedIn Follow Intego on Instagram Follow the Intego Mac Podcast on Apple Podcasts

About Jay Vrijenhoek

Jay Vrijenhoek is an IT consultant with a passion for Mac security research. View all posts by Jay Vrijenhoek →