Apple has released updates for all of its OSes. In addition to adding new features and introducing some UI/UX improvements, Apple’s engineers have also addressed quite a few security vulnerabilities. Here’s a rundown of the security highlights from this round of updates:

Mac 

Mac users received some important security updates this time around.

If you’re on macOS Monterey, Apple has updated your OS to version 12.3. The update addresses:

  • A BOM bug that could have allowed a malicious ZIP archive to bypass Gatekeeper.
  • A FaceTime issue that could have led to a user sending video or audio during a FaceTime call without knowing it.
  • Several separate kernel vulnerabilities that could have resulted in privilege escalation, denial of service attacks, or arbitrary code execution.
  • WebKit bugs that could have led to code execution after processing malicious web content.
  • A number of AppleScript vulnerabilities that could have caused crashes, code execution, or memory security issues.

Apple has released updates for macOS Big Sur and macOS Catalina as well. The older OSes were updated as macOS Big Sur 11.6.5 and Security Update 2022-003 Catalina. The updates address many of the same vulnerabilities as the macOS Monterey 12.3 update.

As always, we would encourage all users to update their systems as soon as possible.

iPhone and iPad 

Apple updated its mobile device OSes this week as well: as iOS 15.4 and iPadOS 15.4. Here are some of the most significant security fixes:

  • A patch for a bug in the Accelerate Framework that could have caused serious problems if a user tried to open a malicious PDF file. Apple says that the bug could have caused a crash or resulted in code execution.
  • A fix for several vulnerabilities in the AVEVideoEncoder component. Apple says the bugs could have allowed a malicious app to gain elevated permissions or execute arbitrary code with kernel privileges.
  • A couple of updates for the ImageIO framework that could have let bad actors use maliciously crafted images to achieve code execution or cause memory corruption issues.
  • A fix for FaceTime and Phone bugs that could have let someone to bypass the Emergency SOS passcode prompt.
  • A fix for Markup and UIKit issues that could have allowed someone with physical access to a device to view sensitive information through keyboard suggestions.
  • Several improvements to the sandboxing protections that make iOS and iPadOS so secure, including fixes to MediaRemote, Preferences, and Sandbox. The updates ensure that a malicious app isn’t able to see which other apps installed on a device, read other applications’ settings, or bypass the user’s Privacy settings. 

All iPhone and iPad users should update their OSes immediately.

Apple Watch and TV

As is often the case, Apple released updates for watchOS and tvOS along with its iOS/iPadOS updates. The updates are numbered as watchOS 8.5 and tvOS 15.4.

These updates address many of the same vulnerabilities as the macOS Monterey 12.3 and the iOS 15.4/iPadOS 15.4 updates. This includes the patches for those WebKit vulnerabilities, kernel issues, and sandboxing problems mentioned above. 

We realize that a lot of people probably aren’t as concerned about Apple TV and Apple Watch security as they are about iOS or Mac security. But updates for these devices are still important, and shouldn’t be neglected. If you’re an Apple Watch or an Apple TV user, set aside a few minutes today to run your updates.

Note that if you’re using a 3rd generation Apple TV, you have a software update as well: Apple TV Software 7.9. However, as this update doesn’t contain any security fixes, you can simply update whenever it’s most convenient. 

Other updates

Apple also released a handful of important software updates this week. These updates won’t affect all users, but there are a few groups who should update their apps immediately:

  • Musicians, take note! GarageBand 10.4.6 and Logic Pro X 10.7.3 patch a couple of vulnerabilities that could have allowed maliciously crafted files to crash apps or gain arbitrary code execution.
  • App developers, be aware that Apple has just updated Xcode to version 13.3. This newest version of Apple’s IDE addresses 10 separate CVE entries. The bugs, according to Apple, could have resulted in app termination or arbitrary code execution.
Leave a Reply

Your email address will not be published.