Apple’s latest update blast is out, including an extensive range of security patches for all devices that Apple officially supports.
There are fixes for iOS, iPadOS, tvOS and watchOS, along with patches for all three supported flavours of macOS, and even a special update to the firmware in Apple’s super-cool external Studio Display monitor.
Apparently, if you’re running macOS Ventura and you’ve hooked your Mac up to a Studio Display, just updating the Ventura operating system itself isn’t enough to secure you against potential system-level attacks.
According to Apple’s bulletin, a bug in the display screen’s own firmware could be abused by an app running on your Mac “to execute arbitrary code with kernel privileges.”
Travellers beware
We’re guessing that if you’re on the road right now, travelling with your Mac, you might not be able to plug in to your Screen Display for a while yet, by which time some enterprising criminal might have worked backwards from the patches, or a proof-of-concept exploit might have been released.
We don’t know how to (or even if you can) download the Screen Display patch for offline installation later when you get home.
So: if you can only patch your display in a few days’ or weeks’ time; because you have to plug your patched Mac into your vulnerable display to update it; and assuming that you need go online to complete the update…
…you may want to learn how to start up your Mac in so-called Safe Mode, and to update from there.
In Safe Mode, a minimum set of system software and third-party apps are loaded, thus slimming down what’s known as your attack surface area until you’ve completed the patch.
Ironically, albeit unavoidably, most third-party security add-ons don’t start up in Safe Mode, so an alternative approach is simply to boot up with as many non-security-related apps turned off, so they don’t start automatically when you log in.
You can temporarily turn off auto-starting background apps in the Settings > General > Login Items menu.
One zero-day, but plenty of other bugs
The good news, as far as we can see, is that there is only one zero-day bug in this batch of updates: the bug CVE-2023-23529 in WebKit.
This vulnerablity, which allows attackers to implant malware on your iOS 15 or iPadOS 15 device without you noticing, is listed with the dread words, “Apple is aware of a report that this issue may have been actively exploited.”
Fortunately, this bug is only listed as a zero-day in the iOS 15.7.4 and iPadOS 15.7.4 security bulletin, meaning that more recent iDevices, Macs, TVs and Apple Watches appear to be safe from this one.
The bad news, as usual, is that there is nevertheless a wide range of we-hope-we-found-them-before-the-crooks-did bugs fixed for all Apple’s other operating systems, including vulnerabilities that could theoretically be exploited for:
- Kernel-level remote code execution, where attackers could take over your entire device, and potentially access all data from any apps they liked, instead of being limited to intruding on an individual app and its data.
- Data stealing triggered by a booby-trapped calendar invitation.
- Access to Bluetooth data after your device receives a booby-trapped Bluetooth packet.
- File downloads that bypass Apple’s usual Gatekeeper quarantine checks, rather like the recent SmartScreen bypass on Windows caused by a bug in Microsoft’s similar Mark of the Web system.
- Unauthorised access to your Hidden Photos Album, caused by a flaw in the Photos app.
- Sneakily and incorrectly tracking you online after you’ve browsed to a booby-trapped website.
What to do?
The updates you need, the bulletins that describe what you’re getting, and the version numbers to look for to ensure you’ve updated correctly, are as follows:
- HT213670: macOS Ventura goes to 13.3.
- HT213677: macOS Monterey goes to 12.6.4.
- HT213675: macOS Big Sur goes to 11.7.5.
- HT213671: Safari goes to 16.4 (this update is included with the Ventura patches, but you need to install it separately if you are using Monterey or Big Sur).
- HT213676: iOS 16 and iPadOS 16 go to 16.4.
- HT213673: iOS 15 and iPadOS 15 go to 15.7.4.
- HT213674: tvOS goes to 16.4.
- HT213678: watchOS goes to 9.4.
- HT213672: the Studio Display Firmware goes to 16.4.
On iDevices, go to Settings > General > Software Update to check if you’re up-to-date, and to trigger an update if you aren’t.
On Macs, it’s almost the same, except that you open the Apple menu and choose System Settings… to get started, followed by General > Software Update.
Get ’em while they’re fresh!
Bart Hansen
Thanks!
Paul Ducklin
It’s a pleasure – hope you got all your Apple gear updated smoothly. (My macOS Monterey for Intel update was quite big – 2.5GB or so – but it installed fairly quickly. I was offline for at most 30 mins, during which time my iOS 16 phone updated as well.)