The Mac Security Blog

Software & Apps

Apple releases macOS Ventura 13.3, iOS 16.4, and more, with security updates

Posted on by


Update, April 7: Apple has issued urgent newer patches: macOS Ventura 13.3.1, iOS/iPadOS 16.4.1, and Safari 16.4.1.

On Monday, March 27, Apple released security, bug-fix, and feature updates for all of its operating systems, Safari, and more.

Let’s examine what we know about the vulnerabilities that Apple mitigated, and various other highlights of each update.

In this article:

Apple finally addresses old zero-day vulnerability for iOS 15

Out of all the updates that were released this week, Apple seems to have only patched a single “actively exploited” (i.e. in-the-wild) vulnerability—for older OS versions that got skipped during last month’s patch cycle.

After not releasing any updates for iOS 15 or iPadOS 15 the company’s February 2023 round of patches, Apple finally address CVE-2023-23529 in this week’s iOS and iPadOS 15.7.4 updates. This vulnerability in WebKit—the page rendering engine used by Safari and other parts of the operating system as well as third-party apps—was previously addressed in iOS and iPadOS 16.3.1, as well as the current and two previous major macOS versions. For more details about this vulnerability, see our article about February’s Apple patches.

Update Now: Urgent fix for macOS Ventura 13.2.1, iOS 16.3.1 resolves major vulnerability

For additional details about the iOS and iPadOS 15.7.4 updates, refer to that section of the article below.

macOS Ventura 13.3

Available for:
All supported Macs currently running macOS Ventura

New features:

  • 21 new emoji, including animals, hand gestures, and objects are now available in emoji keyboard
  • Remove background option in Freeform automatically isolates the subject in your image
  • Photos duplicates album expands support to detect duplicate photos and videos in an iCloud Shared Photo Library
  • Transliteration support for Gujarati, Punjabi, and Urdu keyboards
  • New keyboard layouts for Choctaw, Chickasaw, Akan, Hausa, and Yoruba
  • Accessibility setting to automatically dim video when flashes of light or strobe effects are detected
  • VoiceOver support for maps in the Weather app

Enterprise:

  • MDM can query the model number of Mac computers with Apple silicon.
  • Profile-based Wi-Fi networks are given auto-join priority over manually joined networks by default.
  • Platform SSO supports WS-Trust federation to another identity provider.
  • Accessory Security now includes SD cards.

Improvements and bug fixes:

  • Resolves an issue where Trackpad gestures may occasionally stop responding
  • Fixes an issue where Ask to Buy requests from children may fail to appear on the parent’s device
  • Addresses an issue where VoiceOver may be unresponsive after using the Finder
  • Resolves an issue that caused software update scans to fail to return results when concurrent scans were initiated.
  • Mac computers enrolled in MDM no longer start up in recovery mode intermittently after a software update.
  • Resolves an issue where MDM Lock on a Mac with the Apple T2 Security Chip could be bypassed.
  • Resolves an issue where using Cisco AnyConnect could cause high CPU usage.
  • Exporting video files to an Xsan volume no longer causes an unexpected restart.

Security updates:
At least 58 vulnerabilities with assigned CVE numbers were addressed in this update. There were also at least 18 other unspecified security improvements for which Apple gave “additional recognition” to individuals who assisted. Here are some notable ones:

Apple Neural Engine
Impact: An app may be able to break out of its sandbox
Description: This issue was addressed with improved checks.

 

Archive Utility
Impact: An archive may be able to bypass Gatekeeper
Description: The issue was addressed with improved checks.

 

Find My
Impact: An app may be able to read sensitive location information
Description: A privacy issue was addressed with improved private data redaction for log entries.

 

Identity Services
Impact: An app may be able to access information about a user’s contacts
Description: A privacy issue was addressed with improved private data redaction for log entries.

 

Photos
Impact: Photos belonging to the Hidden Photos Album could be viewed without authentication through Visual Lookup
Description: A logic issue was addressed with improved restrictions.

For the full list of security patches included in Ventura 13.3, have a look here.

Reportedly, Apple may have inadvertently introduced a new bug affecting users whose Home folder is stored on an external drive. Users with this uncommon configuration have reported receiving the message, “You are unable to log into the user account ‘[username]’ at this time. Logging into the account failed because an error occurred.” If you don’t have your Home directory on an external storage device, then you don’t need to worry about this bug; it’s important to install macOS Ventura 13.3 to address dozens of security vulnerabilities.

Users of macOS Ventura can get this update by going to System Settings > General > Software Update.

If your Mac is running macOS Mojave, Catalina, Big Sur, or Monterey, and your Mac is compatible with macOS Ventura, you can upgrade to macOS Ventura by going to System Preferences > Software Update. If your Mac is running macOS High Sierra or older and is compatible with macOS Ventura, look for macOS Ventura in the Mac App Store and download it from there.

macOS Monterey 12.6.4

Available for:
All supported Macs currently running macOS Monterey

Enterprise, improvements and bug fixes:

  • Resolved an issue where MDM Lock on a Mac with the Apple T2 Security Chip could be bypassed.

Security updates:
At least 27 vulnerabilities with assigned CVE numbers were addressed in this update. There were also at least 5 other unspecified security improvements for which Apple gave “additional recognition” to individuals who assisted. These issues overlap with those addressed in the macOS Ventura update—but, notably, significantly fewer issues were patched for this older macOS version, as is typical.

Because Apple is no longer patching every security vulnerability that affects macOS Monterey—Apple’s policy is that “not all known security issues are addressed in previous versions”—we advise users to upgrade to macOS Ventura if your Mac supports it—or even on an unsupported Mac, at your own risk.

For the full list of security patches included in Monterey 12.6.4, have a look here.

You can get this update by going to System Preferences > Software Update.

macOS Big Sur 11.7.5

Available for:
All supported Macs currently running macOS Monterey

Security updates:
At least 25 vulnerabilities with assigned CVE numbers were addressed in this update. There were also at least 5 other unspecified security improvements for which Apple gave “additional recognition” to individuals who assisted. Again, these issues overlap with those addressed in the macOS Ventura update—but, notably, significantly fewer issues were patched for this older macOS version, as is typical.

Because Apple is no longer patching every security vulnerability that affects macOS Big Sur, we advise users to upgrade to macOS Ventura if your Mac supports it—or even on an unsupported Mac, at your own risk.

For the full list of security patches included in Big Sur 11.7.5, have a look here.

You can get this update by going to System Preferences > Software Update.

Safari 16.4 for macOS Monterey and Big Sur

Available for:
macOS Big Sur and macOS Monterey

This update addresses two WebKit issues with CVE numbers, with three “additional recognitions,” which overlap with those addressed in macOS Ventura.

The short list of fixes can be seen here, and the update is available in System Preferences > Software Update on applicable Macs. It will appear as an available update once macOS 12.6.4 or 11.7.5 has been installed.

iOS 16.4 and iPadOS 16.4

Available for:
iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

New features & functionality:

  • 21 new emoji including animals, hand gestures, and objects are now available in emoji keyboard
  • Notifications for web apps added to the Home Screen
  • Voice Isolation for cellular calls prioritizes your voice and blocks out ambient noise around you
  • Duplicates album in Photos expands support to detect duplicate photos and videos in an iCloud Shared Photo Library
  • VoiceOver support for maps in the Weather app
  • Accessibility setting to automatically dim video when flashes of light or strobe effects are detected
  • (iPad only) Apple Pencil hover adds tilt and azimuth support so you can preview your mark at any angle before you make it in Notes and supported apps on iPad Pro 11-inch (4th generation) and iPad Pro 12.9-inch (6th generation)

Enterprise:

  • MDM can query the model number of managed devices.
  • Profile-based Wi-Fi networks are given auto-join priority over manually joined networks by default.
  • Managed Apple IDs will be prompted less often to Update Apple ID Settings.

Improvements and bug fixes:

  • Fixes an issue where Ask to Buy requests from children may fail to appear on the parent’s device
  • Addresses issues where Matter-compatible thermostats could become unresponsive when paired to Apple Home
  • Crash Detection optimizations on iPhone 14 and iPhone 14 Pro models
  • Resolves an issue that caused users with Managed Apple IDs to be prompted to Update Apple ID Settings
  • (iPad only) Fixes an issue with Apple Pencil responsiveness that may occur while drawing or writing in the Notes app

Security updates:
At least 33 vulnerabilities were addressed in this update, plus 12 “additional recognitions,” most of which are the same issues addressed in the macOS updates.

The full list of security issues that were addressed can be found here. To get the update over the air, go to Settings > General > Software Update on your device.

iOS 15.7.4 and iPadOS 15.7.4

Available for:
iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)

Security updates:
At least 16 vulnerabilities were addressed in this update, plus two “additional recognitions,” most of which were covered in the previously mentioned OS updates.

Notably, as mentioned above, one “actively exploited” WebKit vulnerability that was addressed last month in iOS and iPadOS 16.3.1 finally got addressed in iOS and iPasOS 15.7.4. It is very concerning that Apple would leave a vulnerability unpatched for so long when it’s known to have been exploited in the wild. Approximately 18% of all iOS and iPadOS devices are currently running version 15.x, according to the latest data from StatCounter. Many of those devices likely cannot be upgraded to version 16.x, due to Apple dropping support for several iPhone and iPad models and the final model of iPod touch.

If your device is capable of running iOS 16, be sure to upgrade to the latest version as soon as possible. Don’t stay behind on iOS 15; it’s significantly less secure, and it’s not worth putting yourself at risk.

The full list of security issues that were addressed can be found here. To get the update over the air, go to Settings > General > Software Update on your device.

Studio Display Firmware Update 16.4

Available for:
Studio Display (2022, 27″) — not to be confused with 15–21″ Apple Studio Displays sold from 1998–2004

New features:

  • Adds support for in-field recalibration of the display using Pro Display Calibrator. Enables specific color workflows that may require custom calibration by an in-house spectroradiometer. (Learn more)
  • Minor stability improvements

Security updates:
This new Studio Display firmware includes a single security fix (addressing CVE-2023-27965) and is only available for macOS Ventura 13.3 users. Interestingly, the same vulnerability was also patched in macOS Ventura 13.3 itself.

Display
Impact: An app may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved state management.

The page mentioning the security fix can be found here. To get this latest update, open System Settings > General > Software Update. If you run into any issues updating your display’s firmware, have a look at Apple’s troubleshooting instructions here.

watchOS 9.4

Available for:
Apple Watch Series 4 and later

Security updates:
At least 16 vulnerabilities were addressed in this update, plus seven “additional recognitions,” each of which was addressed in the previously mentioned OS updates.

The full list of security issues that were addressed can be found here. To install this update, make sure your iPhone is up to date first, both your phone and watch are connected to the same Wi-Fi network, and the watch has at least a 50% charge. Then open the Watch app on your phone and tap General > Software Update.

watchOS 8 — still no security updates for eight months

Meanwhile, there’s still no word on when (or if) Apple Watch Series 3—which Apple still sold refurbished until earlier this month—will get watchOS 8 security updates. Apple has, for unknown reasons, chosen not to release watchOS 9 for this model, putting the device in an awkward state of limbo.

The most recent update for watchOS 8 was in mid-August 2022, about a month before watchOS 9 came out. The most recent watchOS update that included security fixes came a month prior, in July 2022. (Concerningly, Apple chose not to patch two “actively exploited” vulnerabilities for watchOS 8.7.1 in its August patch cycle. However, both vulnerabilities were later patched in watchOS 9.0.) Now it has been more than eight months since the Apple Watch Series 3 has gotten any security updates.

As we’ve mentioned previously, simultaneous updates for watchOS versions would not be unprecedented. As recently as late 2020, Apple released simultaneous updates for two or three watchOS versions at a time, mainly to support older Apple Watch models.

It’s hard to understand how Apple could justify such seemingly negligent behavior regarding a product that it was still selling.

Intego has asked Apple multiple times for an update regarding watchOS 8 security updates for the Apple Watch Series 3, but Apple has neglected to respond to our inquiries.

Apple stops selling Watch Series 3 — eight months after its last security update

 

tvOS 16.4

Available for:
Apple TV 4K (all models) and Apple TV HD

New features:

  • This update adds Dim Flashing Lights, an accessibility option to automatically dim the display of video when flashes of light or strobe effects are detected, and includes performance and stability improvements.

Security updates:
At least 14 vulnerabilities were addressed in this update, plus four “additional recognitions,” each of which was addressed in the previously mentioned OS updates.

The tvOS update can be downloaded directly from the Apple TV by going to Settings > System > Update Software.

audioOS 16.4

Apple’s rarely-mentioned audioOS (also known as HomePod Software, or HomePodOS) for HomePod mini also received an update. Apple has never mentioned this operating system on its security updates page, so it is unclear whether any security issues were addressed in this week’s update.

HomePod updates are generally not urgent, and they are supposed to install automatically. However, if you would like to update your HomePod or HomePod mini’s operating system manually, you can go into the Home app on your iPhone or iPad, then tap the House icon > Home Settings > Software Update > temporarily disable (toggle off) Install Updates Automatically > then tap Install. After updating, remember to re-enable the Install Updates Automatically setting.

Xcode 14.3

On March 30, Apple also released an update to its software development platform, Xcode. Version 14.3 addresses two vulnerabilities, which you can read about here.

If you have Xcode installed on macOS Ventura 13.0 or later, the update will show up under System Settings > General > Software Update.

Key takeaways

If you get nothing else out of this article, here are some key points:

  • Apple released a bunch of security updates this week; check for and install updates on all your Apple devices!
  • At this point, macOS Ventura, iOS 16, and iPadOS 16 are the only safe operating systems to use on Macs, iPhones, and iPads, respectively.
    • If you have a Mac for which Apple doesn’t officially support Ventura, you may be able to upgrade it anyway.
    • If you have an older iPhone or iPad that isn’t compatible with 16.x, or any iPod touch, buying a new device is the safest option.
  • Apple Watch Series 3 may be perpetually vulnerable. The last security update for it was released more than eight months ago, in July 2022, even though Apple continued to sell it until just a couple weeks ago, in March 2023. (Third parties still sell this Apple Watch model, so beware.)

It is advisable to update to the latest operating systems as soon as you reasonably can. It’s important to get the benefits of new security fixes as quickly as possible to help you stay protected from hackers and malware.

If you have a Mac running macOS Monterey or Big Sur that’s compatible with Ventura, you may wish to update to the new Monterey or Big Sur version, and then as soon as practical, upgrade to macOS Ventura. Here’s why. Generally speaking, it is best to upgrade to the latest Apple OS versions quickly for security reasons. For maximum security, one cannot rely on any minimal security patches Apple may release for previous OS versions.

Apple’s Poor Patching Policies Potentially Make Users’ Security and Privacy Precarious

Whenever you’re preparing to update iOS, iPadOS, or macOS, always back up your data before installing any updates. This gives you a restore point if something does not go as planned.

See also our related article on how to check your macOS backups to ensure they work correctly.

How to Verify Your Backups are Working Properly

How can I learn more?

Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, including security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.

You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: Follow Intego on Twitter Follow Intego on Facebook Follow Intego on YouTube Follow Intego on Pinterest Follow Intego on LinkedIn Follow Intego on Instagram Follow the Intego Mac Podcast on Apple Podcasts

About Jay Vrijenhoek

Jay Vrijenhoek is an IT consultant with a passion for Mac security research. View all posts by Jay Vrijenhoek →