Skip to content
Thoughtful, detailed coverage of everything Apple for 33 years
and the TidBITS Content Network for Apple professionals
14 comments

Apple Updates All Active Operating Systems to Block Exploited Security Vulnerabilities

Apple has updated all its active operating systems to address (in varying combinations) three security vulnerabilities, all of which are actively being exploited in the wild. The most concerning of the three vulnerabilities affects the kernel and thus cuts across all Apple operating systems, new and old. macOS, iOS, and iPadOS also receive fixes for a WebKit vulnerability, and iOS 15.7.7 and iPadOS 15.7.7 plug yet another WebKit vulnerability that has presumably been addressed in newer versions but afflicts versions prior to 15.7.

The affected operating systems include:

Neither tvOS nor HomePod Software are included at the moment. It’s possible the exploits can’t affect them, or perhaps Apple will release updates for them shortly as well.

iOS 16.5.1 and iPadOS 16.5.1 also fix a bug that prevented charging with the Lightning to USB 3 Camera Adapter. It must have been waiting in the wings such that it could hop a ride with this set of security updates.

Although it’s difficult to determine the severity of any given security vulnerability, Apple’s language about active exploits against new and old versions, coupled with the release of so many updates at once—even watchOS 8.8.1 for the Apple Watch Series 3—suggests these vulnerabilities are especially concerning. Update as soon as you reasonably can.

Subscribe today so you don’t miss any TidBITS articles!

Every week you’ll get tech tips, in-depth reviews, and insightful news analysis for discerning Apple users. For over 33 years, we’ve published professional, member-supported tech journalism that makes you smarter.

Registration confirmation will be emailed to you.

This site is protected by reCAPTCHA. The Google Privacy Policy and Terms of Service apply.

Comments About Apple Updates All Active Operating Systems to Block Exploited Security Vulnerabilities

Notable Replies

  1. For those getting the “base build is not compatible for this install” error, my workaround is to do re-install of Ventura (I have a M1 MacbookPro, but its managed by work/jamf, and I suspect until Apple fixes the updater, best solution was to boot into Recovery mode an install Ventura). It put 13.4.1 and updated.

    Seems some get it, some don’t.

  2. RISK:

    Government:
    Large and medium government entities: HIGH
    Small government: MEDIUM

    Businesses:
    Large and medium business entities: HIGH
    Small business entities: MEDIUM

    Home Users: LOW

  3. Thanks! I wonder how they come up with those Low/Medium/High rankings.

  4. Ventura update 13.4.1 temporarily broke my MacPro Desktop computer. After installing the update many of my menu items hung or would not work after the machine rebooted from the update. To fix it I simply restarted the machine from “Restart” under the Apple Menu. Based on this experience I strongly advise users to immediately restart their machines after installing the 13.4.1 security update if they expect their machines to properly function after the install. So much for proper SQA before release!

  5. I would assume it’s based on who they know has been targeted so far.

  6. I can’t track down the methodology at the moment, but IIRC, they have a scoring system that includes things like ease of exploit, potential damage from an exploit, prevalence of an exploit, infrastructure targeted by the exploit, and so on. Of course, there’s a certain amount of subjectivity involved, but they end up with a numeric score that gets translated to the qualitative “low, medium, and high” risk assessments.

    The published risk assessments are intended to be very general guidelines for classes of users rather than particular users. It’s important that people and organizations perform their own risk assessments based on their actual installed software, hardware, and configurations.

    For example, there might be an advisory that classifies a vulnerability in a particular Cisco router as a high risk for enterprises and a low risk for home users, but if you happen to be a home hobbyist who picked up that router at a surplus sale, you probably would have at least medium risk, i.e. the vulnerability might be easily exploited, but it is less likely that you would be targeted as an individual than as a large enterprise.

  7. Howard Oakley is reporting that these security fixes are related to malware that Kaspersky is terming “Triangulation” that uses a malicious iMessage to compromise a device. I haven’t had time to read up on it yet, but he says that it has been around since 2019, when Mojave and Catalina were current, so they may be affected as well and aren’t receiving security fixes anymore.

  8. Doing them for the last couple of hours.

    MacBook Pro 15" Mid 2015: Done took just over an hour

    iPhone 12: Done took about 1/2 hour

     Watch: Doing says it’ll take 2 hours

    iPad Mini 6: Done took about 25 minutes

  9. Most likely by the FSB, and/or GUSP. Of course, Putin’s new Soviet Russia is blaming these United States!

    BTW, while reading that article, I saw another that supposedly will let me install MacOS 12.6.7 on my mid-2011 iMac & MacBook Air to get the latest security updates. How to Install macOS Sonoma on Unsupported Macs, for Security Improvements - The Mac Security Blog

  10. So, for a late-2012 Mac Mini that can’t go beyond Mojave, I should be ok as long as I remain careful about suspicious links in texts.imessages? And I do get weird texts now (purporting to be from the Post Office) that I ignore.

  11. While this does seem to be a targeted attack, the post above mentions that this is delivered by an “invisible” message, which leads me to believe that it’s zero-click - just having the message delivered may cause the exploit to get triggered. So perhaps to be extra-careful, don’t use iMessage on a vulnerable OS, and don’t have text messages delivered to that computer as well?

    Like I said - these were targeted to Russians supposedly, but I always worry that once the word is out, somebody else will figure it out, so it’s probably for the best to be cautious if you have no other choice but to use Mojave?

  12. Post office text message scams are pretty common. It’s just another flavor of spam.

    Regarding your 2012 Mini, it is supported through Catalina, though of course it’s possible that you have software that doesn’t work with Catalina.

  13. The YouTube Channel Mr. Macintosh also publishes regular good walkthroughs on installing & upgrading OpenCore Legacy Patcher.

Join the discussion in the TidBITS Discourse forum

Participants

Avatar for ace Avatar for richard.peach Avatar for romad Avatar for alvarnell Avatar for ddmiller Avatar for jweil Avatar for nathanschwam Avatar for macanix Avatar for josehill