Naked Security Naked Security

Apple ships Monterey with security updates, fixes 0-day in Watch and TV products, updates iDevices

A slew of security bulletins from Apple HQ, including 37 bugs listed as fixed in the initial public release of macOS Monterey.

First thing this morning, just after midnight, we received the latest slew of Apple Security Bulletins by email.

As often seems to happen with Cupertino’s patches, the emails were informative and confusing in equal measure, offering an intriguing mix of security update information:

  • The latest macOS 12 Monterey emerges as 12.0.1. We’re assuming that the security patches in the otherwise brand-new Monterey release are listed for the benefit of anyone who’s been using the Beta version, because there are 37 listed fixes covering everything from AppKit to zsh. 15 of these were of the “malicious application may be able to execute arbitrary code” sort, with 9 of those bugs dealing with code execution bugs in the kernel itself.
  • Phones and tablets get related updates. Both iOS and iPadOS make a simultaneous jump to version 15.1, fixing many of the same bugs mentioned for macOS 12.0.1, including potential kernel-mode code execution exploits, as loved by jailbreakers, surveillance software makers and cybercriminals alike.
  • The previous iOS 14 flavour gets updated as well. For those who haven’t moved or won’t be moving from iOS 14 to iOS 15, there’s version 14.8.1, fixing a smaller number of bugs than the iOS 15 update. Presumably some of the iOS 15 bugs are unique to new code added for feature purposes.
  • The Big Sur and Catalina strains of macOS are patched. Big Sur gets a version-bump to 11.6.1, while Catalina gets an old-version-style patched labelled Security Update 2021-007, but not a version number change.
  • The watchOS and tvOS flavours get version updates. WatchOS goes to 8.1, while tvOS matches with the iOS and iPadOS version number, and gets 15.1. Importantly, these updates retrofit the iOS 15.0.2 patch to the Watch and TV product lines. The 15.0.2 update appeared more than two weeks ago, and closed a zero-day kernel code execution vulnerability dubbed CVE-2021-30883.
  • Old and now superseded updates get updated update notes. As well as announcing and documenting the abovementioned 8.1 and 15.1 versions for watchOS, tvOS, iOS and iPadOS, three bulletins provide “catchup” documentation for the previous updates numbered watchOS 8 and tvOS/iOS/iPadOS 15. These bulletins are useful for the purposes of completeness, but would have been more useful still if they had been published when the original updates came out. A similar “catchup” note for Safari 15 is also provided for those who want to know what was fixed there.
  • Not a word about iOS 12. It doesn’t seem to have officially been dropped, but it isn’t getting an update this time round, even though at least one of the recent zero-day bugs patched by Apple is said to be exploitable at least back to the iOS 12 branch of Apple’ code.

What to do?

The bad news this time round is the late arrival of the zero-day patches for watchOS and tvOS, and the neither-confirmed-nor-denied update status of iOS 12.

The good news is the arrival, at last, of the zero-day patches for watchOS and tvOS, and the fact that none of the other updates mention the dreaded words “this issue may have been actively exploited”.

As usual, check that you have the latest versions:

  • Use Settings > General and choose Software Update on your iPhone or iPad.
  • Use Apple menu > System Preferences > Software Update on your MacBook or desktop Mac.

Versions and update names to check for:
---------------------------------------
Monterey (macOS 12) emerges into the daylight as 12.0.1.
Big Sur (macOS 11) should now be 11.6.1
Catalina (macOS 10) should still be 10.15.7 but with Security Update 2021-007
iOS 15 should now be 15.1
iPadOS 15 should now be 15.1
iOS 14 should now be 14.8.1
iPadOS 14 should now be 14.8.1
iOS 12 should still be 12.5.5 (no update shipped, same OS for iPhones and iPads)
tvOS should now be 15.1
watchOS should now be 8.1