iOS 15.6.1, iPadOS 15.6.1, and macOS 12.5.1 Monterey Address Serious Security Vulnerabilities
In response to a pair of concerning security vulnerabilities, Apple has released three updates: iOS 15.6.1, iPadOS 15.6.1, and macOS 12.5.1 Monterey. One of the vulnerabilities is at the kernel level, whereas the other is related to WebKit. No other changes were mentioned.
Given the severity of the vulnerabilities—both allow arbitrary code execution, one with kernel privileges—and the fact that both are being exploited in the wild, we recommend that you update as soon as possible. As always, install iOS and iPadOS updates by going to Settings > General > Software Update; install macOS updates from System Preferences > Software Update.
Apple also released watchOS 8.7.1 for the Apple Watch Series 3, not, as it later turned out, because of security problems, but to fix a bug that caused random restarts. You can download it from the Watch app in General > Software Update.
After updating to macOS 12.5.1 I noticed many anomalies, beginning with I had to manually log in to my iCloud account. Eventually I figured out the source of the problems. My user spaces are relocated to avoid using up space on my System SSD. The update broke this relocation. After restoring the proper user spaces things are gong much more smoothly.
Also, after the update “to make the computer more secure” on my MacPro7.1 and my MacBookPro18,2, Silent Knight told me
I allowed Silent Knight to install the recommended files. Maybe now my systems are more secure.
Because I don’t run auto-update I’m not sure, so on behalf of a family member: will this update install is she has auto-update turned on, or should she manually install it?
Thanks
Yes, eventually. Probably within 24 hours, but it could take up to 72 hours, which is a mechanism to prevent users from overwhelming Apple’s CDN servers.
The XProtect updates were only released today, so Catalina and above users should receive both at some point within 24-hours. Mojave and below users will only get the first one.
That assumes you have both “Automatically: Check for updates” and “Install system data files and security updates” enabled in System Preferences->Software Updates
So just Monterey?
I wonder if older macOS versions are affected. In attempting to preserve 3 macs with working hardware we are stuck on High Sierra, Catalina and Mojave here.
I never ceases to amaze that hackers seem to bring resources to this that Apple cannot.
According to Apple security releases - Apple Support BigSur and Catalina get a Safari update 15.6.1
Yes, so that takes care of the WebKit vulnerability, but not the Kernel flaw.
Probably longer than that. I’ve deliberately waited to see how long it would take for an update to automatically install and it’s been measured in weeks before I was finally prompted.
Here’s what I was told by an Apple Source recently:
Perhaps on MacOS, but that’s definitely not true on iOS, iPadOS, or tvOS. I’ve had TVs that are literally months behind on updates, and obviously you’re not going to run a terminal command on any of those platforms.
But anecdotally I know that I had my new M2 Air for two weeks before I was prompted for 12.5 just on Monday (ironically just days before 12.5.1). I hadn’t checked or realized that it was still on 12.4 when I received it. I still have my old 2015 MBA on 12.5; I’ll check later and see if it gets prompted for 12.5.1.
It may be that the XProtect updates were released slightly later, and thus were not part of the larger update. What I did not mention was after detecting the items still needing updating, SilentKnight could not install them until I turned off Caching. The bug still exists.
Just to follow up: yes, within a few hours of turning it back on, the 2015 MBA was prompted to install 12.5.1.
More than slightly. macOS 12.5.1 was released on 2022-08-17T17:22:45Z and the XProtect updates almost a day later at 2022-08-18T16:58:58Z.
You’ll have patiently wait and look for Security Updates for Mojave. The really annoying thing is that the constant Monterey Upgrade nagging (e.g. red dot in Sys Prefs icon) obscures important security updates for older macOS.
The last security update for Mojave was 2021-005 exactly a year ago tomorrow, so I would not be waiting if I were you.
AFAIK? (But what do I know) on older macOS it’s (just?) Safari that needs updating. Going to updates more should show that.
It’s actually WebKit that needs updating, which is used by more than just Safari, so in addition to the Safari app, several frameworks and other supporting files need to be updated(see below). You are correct that for Big Sur and Catalina Software Updates “More…” will show that, but my comment was directed to Mojave for which there haven’t been any updates for a year now.
In response to the advice from Apple and yourself I want to update the iOS on my wife’s iPhone 6s. But my concern is whether it will slow it down too much to be useful. Do I have to update such and old phone?
Robin Helmond
Apple does not force anyone to update any of its devices. And Apple is quite remarkable in the electronics industry for supporting their devices for years longer than other companies. I’ve had my 8+ Since 2017, and I expect upgrades and fixes to be available for it for a while.
Google only supports Android devices for three years:
Personally, I’d rather not risk running into problems because I did not update my Apple devises on a timely basis. To date, Apple has been supporting iPhones and iPads for seven years:
Are these updates in reaction to the vulnerabilities announced in the national news on Friday, 19 Aug 22 or should we expect more updates? What about those of us who are hardware limited to High Sierra? Is Tim just throwing us under the bus?
Unfortunately, I also have an iPad Mini 5 that I can’t take past iOS 14.4.2 due to a critical app that won’t work in 14.4.3 and higher. An updated version is under development but probably won’t be released for several months yet.
Yes, exactly that, as described in About the security content of macOS Monterey 12.5.1 - Apple Support, https://support.apple.com/HT213412 and https://support.apple.com/HT213414.
Still too early to know for certain, but most likely HS will never receive another update of any kind, beside XProtect. Not clear that other OSs have this vulnerability and fairly certain that Apple did not have time to test other OS versions.
That being said, High Sierra is full of many other vulnerabilities, some perhaps even more serious that these last two. There is precedent for updating legacy OSs, but very rare (I believe only once or twice). And all this goes back much further than Tim Cook’s era.
That this update made news headlines everywhere should perhaps not be interpreted as reflecting the seriousness of the bugs fixed. We’ve experienced zero days before and they didn’t get this kind of coverage. Slow news day perhaps it seems. The real message remains unchanged: keep your Macs and devices up to date, particularly with security updates. See here.
I get the impression that most (not all) of the vulnerabilities are with Safari and WebKit.
So if you’re on a Mac that isn’t being updated anymore, consider using a web browser that is still receiving updates for your platform. Like Firefox, Chrome or Edge (which is based on the same Chromium engine that Chrome uses).
It won’t protect you against all vulnerabilities, but may be good enough for your specific situation.
Well, besides Safari, I have Brave, iCab, Opera, Vivaldi browsers installed. I refuse to install Chrome since its primary purpose is to harvest private data for Google. I used to have Firefox ESR but an update a couple of years back trashed it and I couldn’t reinstall it. I’ll try installing the current version of Firefox ESR and see if I can get it to work.
Of course, it’s worth noting that Brave, Opera and Vivaldi are all based on the open source Chromium engine. They’re effectively the same browser, just with different UIs and built-in extensions. (So are Chrome, with Google extensions and Edge, with Microsoft extensions).
Unfortunately, this means there really are only four distinct browsers out there. Firefox (based on Gecko), Safari (WebKit), iCab and lots of different Chromium-based apps.
(Correction: I previously wrote that iCab was end-of-life. I was wrong and was corrected later on in this discussion thread.)
As for Firefox compatibility, the latest version (103.0.2) says that it supports macOS 10.12 (Sierra) and later. So it should work with your High Sierra system. Firefox 103.0.2 System Requirements
In my personal experience, it runs fine on my 2011 MacBook Air (running Sierra), except for a long delay (about a 1 minute timeout) when I try to print (but there are no problems printing from Big Sur). They had fixed that bug about a year ago, but it recently resurfaced. I suspect they don’t have a lot of people testing builds on Sierra.
The latest ESR builds (91.12.0 and 102.1.0) should also work fine. I don’t recall having any problems (other than the above printing delay problem) with 91 or 102 on my Sierra system when they were the latest builds.
As David already mentioned, Firefox 103.02 runs on High Sierra and I use it on an older system which is mainly for music playback but also for some web browsing on a tv and it works fine.
I installed Firefox 91.12.0esr and have imported the bookmarks from Safari. I’ll have to see if this version works as well as the older pre-Chrome versions did.
This war between offenders and potential victims is, unfortunately, a habit.
I have installed the update immediately without any issue for my MacBook Pro 16", but for my Studio Display, this is another matter; all updates are problematic; it took me more than one hour to get my display functional again.
I have written this to the support :
Am I alone with those issues ?
Just to provide a data point, I’ve only undergone one needed firmware update for my new Studio Display, to Version 15.5 (Build 19F80). I had no issues, and the update took about five minutes to complete. So your experience isn’t universal, but I have no idea how common either of our experiences are among Studio Display owners.
Happy for you !
At previous issue, Apple support proposed to me to change my display because it was within 2 months after reception.
I did not want because I hate the waste of resources ; I perhaps should have accepted…
Brave may be based on Chromium but it is a very different animal than Chrome or any other related Web browser. . .
Brave is a privacy/security-oriented browser that right out of the box is very good at its default settings. Users can tweak Brave settings to make it even better. And it is compatible with privacy and security extensions that work with Chromium browsers, so you can add old favorites that quit working when Safari 13 was introduced.
I have used Brave a lot and while I have had various issues with it, security hasn’t been one of them.
The iCab site still shows it as current with version 6.1.4 usable back to Mac OS 10.13:
https://www.icab.de/download.html
My bad. I misunderstood the Wikipedia page. It says the classic MacOS version (not the whole product) was discontinued in 2008.
For some reason, that page mentions Classilla (an unrelated product) as the last Classic MacOS browser, which was discontinued in 2021. It seems to me that that line shouldn’t be on the iCab page at all.
I am having similar problems, but I don’t understand your explanation and solution. thank you
In System Preferences / Users & Groups, Control-Click a User to open Advanced Options. The Choose… button allows you to designate a Home Directory other than the default. My User Space is huge because I have many photos and movies, so to save space on my System Disk I relocate it to the Pegasus RAID.
It seems the update to 12.5.1 reverted this customization back to default, sort of. The System could not find my actual User Space, so instead it showed me the unmodified space of a new user. In the Finder, an alias pointing to the Pegasus was created along side the actual Pegasus icon. In the Users & Groups Advanced Options panel, below Home Directory is a box for Aliases. After the update to 12.5.1 this box contained an alias. When I deleted the alias from the box, the alias in Finder which pointed to the Pegasus array disappeared.
A major symptom of this issue was I could not log on to my user space. When I tried, after a delay I would get an error dialog informing me “You cannot log into your user space because an error occurred”.
Restoring the link to the relocated user space seems to fix the problem. I am not confident this is a full solution. I am pretty sure I renewed the relocation earlier, but today it needed restoring again. I wonder if the security enhancements of the 12.5.1 update disable user space relocation. If anyone knows, I would appreciate the information. I will also ask Apple.
thank you very much. Very interesting. Sorry for having created more work for you to write such a detailed reply.
Just checked my 15" Mid-2015 MacBook Pro and Software Update says I’m completely up-to-date with MacOS 12.4. Did the 12.5 & 12.5.1 updates drop the 2015 models?
The bug introduced in 12.5.1, where relocated user spaces cannot be used to start up the Mac, remains after the update to 12.6. This issue has been reported by several others: Unable to login with user folder on external drive since 12.5.1 upgrade.
I tried to submit a support request to Promise, maker of my RAID where my user space is located, and discovered another bug probably introduced by 12.5.1. Promise provides support via a web page created in response to each user’s request. I could not get support because this web page would not open. I do not know what caused that issue, but after updating to 12.6 the support page again works.
Now I will file a bug report with Promise, and a Feedback Assistant report with Apple. I have already discussed this issue with Apple support. At that time (running macOS 12.5.1), Apple had no suggestion for how to eliminate the problem, nor did they say this was now intended behavior. That is to say, as I understood what they were telling me, relocated user spaces should still work.