Apple Updates All Active Operating Systems to Block Exploited Security Vulnerabilities
Apple has updated all its active operating systems to address (in varying combinations) three security vulnerabilities, all of which are actively being exploited in the wild. The most concerning of the three vulnerabilities affects the kernel and thus cuts across all Apple operating systems, new and old. macOS, iOS, and iPadOS also receive fixes for a WebKit vulnerability, and iOS 15.7.7 and iPadOS 15.7.7 plug yet another WebKit vulnerability that has presumably been addressed in newer versions but afflicts versions prior to 15.7.
The affected operating systems include:
- iOS 16.5.1 and iPadOS 16.5.1
- iOS 15.7.7 and iPadOS 15.7.7
- macOS Ventura 13.4.1
- macOS Monterey 12.6.7
- macOS Big Sur 11.7.8
- watchOS 9.5.2
- watchOS 8.8.1
Neither tvOS nor HomePod Software are included at the moment. It’s possible the exploits can’t affect them, or perhaps Apple will release updates for them shortly as well.
iOS 16.5.1 and iPadOS 16.5.1 also fix a bug that prevented charging with the Lightning to USB 3 Camera Adapter. It must have been waiting in the wings such that it could hop a ride with this set of security updates.
Although it’s difficult to determine the severity of any given security vulnerability, Apple’s language about active exploits against new and old versions, coupled with the release of so many updates at once—even watchOS 8.8.1 for the Apple Watch Series 3—suggests these vulnerabilities are especially concerning. Update as soon as you reasonably can.
For those getting the “base build is not compatible for this install” error, my workaround is to do re-install of Ventura (I have a M1 MacbookPro, but its managed by work/jamf, and I suspect until Apple fixes the updater, best solution was to boot into Recovery mode an install Ventura). It put 13.4.1 and updated.
Seems some get it, some don’t.
Thanks! I wonder how they come up with those Low/Medium/High rankings.
Ventura update 13.4.1 temporarily broke my MacPro Desktop computer. After installing the update many of my menu items hung or would not work after the machine rebooted from the update. To fix it I simply restarted the machine from “Restart” under the Apple Menu. Based on this experience I strongly advise users to immediately restart their machines after installing the 13.4.1 security update if they expect their machines to properly function after the install. So much for proper SQA before release!
I would assume it’s based on who they know has been targeted so far.
I can’t track down the methodology at the moment, but IIRC, they have a scoring system that includes things like ease of exploit, potential damage from an exploit, prevalence of an exploit, infrastructure targeted by the exploit, and so on. Of course, there’s a certain amount of subjectivity involved, but they end up with a numeric score that gets translated to the qualitative “low, medium, and high” risk assessments.
The published risk assessments are intended to be very general guidelines for classes of users rather than particular users. It’s important that people and organizations perform their own risk assessments based on their actual installed software, hardware, and configurations.
For example, there might be an advisory that classifies a vulnerability in a particular Cisco router as a high risk for enterprises and a low risk for home users, but if you happen to be a home hobbyist who picked up that router at a surplus sale, you probably would have at least medium risk, i.e. the vulnerability might be easily exploited, but it is less likely that you would be targeted as an individual than as a large enterprise.
Howard Oakley is reporting that these security fixes are related to malware that Kaspersky is terming “Triangulation” that uses a malicious iMessage to compromise a device. I haven’t had time to read up on it yet, but he says that it has been around since 2019, when Mojave and Catalina were current, so they may be affected as well and aren’t receiving security fixes anymore.
Doing them for the last couple of hours.
MacBook Pro 15" Mid 2015: Done took just over an hour
iPhone 12: Done took about 1/2 hour
Watch: Doing says it’ll take 2 hours
iPad Mini 6: Done took about 25 minutes
https://www.intego.com/mac-security-blog/apple-patches-vulns-used-to-infect-russian-iphones-with-triangledb-malware/
2 of the 3 vulnerabilities had been used in targeted attacks to install TriangleDB malware on iPhones in Russia.
Most likely by the FSB, and/or GUSP. Of course, Putin’s new Soviet Russia is blaming these United States!
BTW, while reading that article, I saw another that supposedly will let me install MacOS 12.6.7 on my mid-2011 iMac & MacBook Air to get the latest security updates. How to Install macOS Sonoma on Unsupported Macs, for Security Improvements - The Mac Security Blog
So, for a late-2012 Mac Mini that can’t go beyond Mojave, I should be ok as long as I remain careful about suspicious links in texts.imessages? And I do get weird texts now (purporting to be from the Post Office) that I ignore.
While this does seem to be a targeted attack, the post above mentions that this is delivered by an “invisible” message, which leads me to believe that it’s zero-click - just having the message delivered may cause the exploit to get triggered. So perhaps to be extra-careful, don’t use iMessage on a vulnerable OS, and don’t have text messages delivered to that computer as well?
Like I said - these were targeted to Russians supposedly, but I always worry that once the word is out, somebody else will figure it out, so it’s probably for the best to be cautious if you have no other choice but to use Mojave?
Post office text message scams are pretty common. It’s just another flavor of spam.
Regarding your 2012 Mini, it is supported through Catalina, though of course it’s possible that you have software that doesn’t work with Catalina.
The YouTube Channel Mr. Macintosh also publishes regular good walkthroughs on installing & upgrading OpenCore Legacy Patcher.