Apple Updates Block Two Zero-Day Security Vulnerabilities

Are you saying that the exploit works on only Apple powered by Intel processors, or are Apple silicon devices also vulnerable?

MacRumors is reporting:

While the vulnerabilities are only known to have impacted older Macs, other devices are vulnerable to attack because they have the same security flaws.

Is Sequoia 15.1.1 now safe for human consumption? Up until now that wasn’t the case, especially not for non-techies, like me. I’m using an M2 MacBook Air with the newest Sonoma.

I am not suffering from any issues with 15.1. I was screwed up by the Sequoia firewall bug breaking ssh persistence, but that was fixed in the 15.1 update.

This might be a simple coincidence, but I have had two issues with external drives (one a micro-SD card and the other a USB thumb drive) refusing to be erased and reformatted. DiskUtility gets stuck and nothing happens in both cases. I shall have to try them on an old Mac and see if they format there.

That’s unknown—neither Apple nor Google has provided more information. My interpretation would be that there is some known malware that affects only Intel-based Macs for some reason, but that the exploited vulnerabilities are in core code that would make Apple silicon Macs and other devices vulnerable as well.

That matches exactly with my interpretation but doesn’t seem to have any further data behind it.

I have an iPhone SE, 2nd Gen., iOS 17.7. I would like to update to the latest version of iOS 17, which I believe is 17.7.2. As far as I can see, the only option is to update to iOS 18 which I do not want to do.
Can someone point me to where and/or how I can update iOS 17.7.2.

Thank you.

Every year at some point Apple stops providing updates to last year’s version of iOS to the devices that can run the current version, and I believe from posts I have seen on reddit that this is the version that does that. It’s usually about this time of year; I think it was early December the last two years. For now I think that you stick on your existing version or update to 18.1.1.

I am on 17.7.1 (updated a few weeks ago) but do not see the latest 17x update either. Maybe if the phone is able to go to 18, they are not allowing it to do the next 17 update

Diane

The new SATA driver in macOS Sequoia is known to have problems, as documented by OWC.

We will update this post as soon as Apple releases a new version of macOS Sequoia that addresses the issue.

So in answer to gbdoc’s original question,

Is Sequoia 15.1.1 now safe for human consumption?

Not completely. If you use external ATA-formatted disks, especially in high speed hardware, better wait until OWC confirms the driver issue has been resolved.

On the other hand, especially if you use PCIe-mounted disks, repair in MacOS 15.1 of many longstanding macOS bugs may make upgrading safer than not upgrading.

These articles refer to the third-party SoftRAID driver. However,

Starting with macOS Ventura version 13.3, the SoftRAID driver is installed as part of macOS. Today, each version of the SoftRAID driver is tied to a specific version of macOS. If you upgrade to macOS Sequoia, you will instantly start using the SoftRAID 8.3 driver.

Also, many of the issues encountered as OWC and Apple debugged SoftRAID were in the underlying Apple code. Unfortunately Apple only updates older code to add security patches, and not to fix bugs. Therefore,

Like other parts of macOS, if you want new features and bug fixes in the SoftRAID driver, you must upgrade to the latest version of macOS on your Mac.

If the problem is machines with Intel chips, why are iOS & iPadOS being updated?

I also have an SE 2nd gen. currently running iOS 17.7.1 and I see the option of an update to 17.7.2 by scrolling past the iOS 18.1.1 upgrade to the bottom of the Software Update dialog.

iOS_17-7-1_update_screen750×1334 164 KB

Scott, you are a genius! Thanks for that!

Diane

As indicated in Adam’s article, there is a Safari update (18.1.1) for those sticking with Sonoma for now. It is a little tedious to install - I first had to get past the Sequoia nagging in Software Update.

Because, based on initial reports, it looks like the vulnerability is present in all Apple OS’s but has only been exploited on Intel-based Macs.

When CISA releases its formal announcement, we should be able to learn more details.

But note also that it is a WebKit/JavaScript vulnerability. So if you’re using a browser based on something else (e.g. Firefox or one of the many Chromium-based browsers), then you may not be affected.

At least on your Mac. I think all browsers on iOS-like devices are forced to use Apple’s WebKit framework under the covers.

Sequoia 15.1.1 is more than safe. In a former life it would have been a forced update, but that didn’t work out. You should always update zero day updates ASAP.

Thank you so much for your help, Scott.
Downloaded and installed iOS 17.7.2.
All is well.

Except that WebKit/JavaScript isn’t just used by Safari. It’s also used by various embedded web views in apps and the system (e.g. Apple Music, the App Store) and for all we know the vulnerability can be exploited in these embedded views as well. Given this is a zero-day vulnerability, I would update even if you never use Safari or another WebKit based browser.

So if I am on Sonoma 14.7.1 on a M1 MacBook Air, with USB connected external drives, I should be safe to update to Sequoia 15.1.1 ?

This Talk summary was a bit too confusing for my old brain. Oh well. I updated my iPad mini. It seems to be the only thing affected.

FWIW: I have an Intel MBP (2019), and was running Sonoma. I did update to Safari 18.1.1.

However, at that point, it appeared my MBP would stop running often/frequently, and I was forced to restart “due to a problem detected”.

At that point, I figured it would not do harm (and might help) to update to Sequoia 15.1.1, so I did perform this update.

After updating to Sequoia 15.1.1, the MBP seems to run well consistently.

Not really sure if my update action really fixed the underlying problem (not running consistently, forcing multiple and frequent restarts) or not, but I thought I would mention the story in this thread.

All I know is what I read in the linked article. It says

It’s important to note that this problem does not affect USB3 enclosures

So my guess is you will be OK.

Thanks for pointing that out. Much appreciated.

I am now able to see 17.7.2, having checked several times over the past few days, swiped up and down around 18.1 offer, gone out again, then in again twice, and THEN 17.7.2 is at the bottom. You have to really really want it and insist. SE 3rd gen.

Dear all,

Based on your experience and advice (which I trust more than most other sources) I updated to the latest sequoia on both my Mac and my wife’s, which is the same model. She wasn’t having any problem even up until now, and the update hasn’t disrupted anything, and works fine. On mine, however, some things seem to have corrected themselves, most importantly, my emails seem to now arrive both to recipients as well as to me. But I still have a problem on my end, although I receive emails successfully, I can’t easily find them in my inbox. They often end up in one of the extra mailboxes I’ve created. And I still have a problem with FaceTime: it won’t work on either my Mac or my phone. That’s a PIA, but no catastrophe.

So thanks a lot for all your help and patience.

My iPhone 13 is currently running iOS 17.7.1. Software Update is offering me both 17.7.2 and 18.1.1.

Off-topic, or maybe just sideways-topic.

Same here. My question is why iMazing didn’t offer either one. Any thoughts?

I’ve never used iMazing to update my phone, so I don’t know the answer to this question.

As is the case now with Apple’s move to a new system every year and only “supporting the current 3” macOS, we are left with questions. Why is macOS 13 being left un-patched? Is it immune to any of these vulnerabilities? Or is Apple just ignoring the oldest of the “supported” systems as they have done repeatedly in recent years? Is iOS 16 immune, or does it carry any of these vulnerabilities? How do we know until and unless Apple decides to push a patch?

Until then we get the usual silence from the company that controls the system, software and hardware.

Security has become a real nightmare. In casual discussions, I find more and more people are just not updating out of frustration, confusion or having had a “bad” experience. When I ask to see what version they are running, it is often MANY versions behind even the current for that major system.

While I agree that security patches should be applied ASAP, they sometimes come with unexpected downtime and problems that may not be easily solved. Simply “getting the latest version” is not always the answer (or possible) for a multitude of reasons.

Safari 18.1.1 is available for macOS 13 Ventura to address these vulnerabilities. Given that Apple can and does update the two previous versions of macOS for security fixes, I presume the company feels that’s sufficient.

We don’t, but we also don’t know all the details about how Intel-based Macs were targeted to evaluate whether iOS 16 is likely to be vulnerable. Nor does anyone know anything about every other unknown vulnerability. And even if the details were shared, few people would understand them or be able to make informed decisions based on the information.

I long ago made peace with the fact that not everything can be known or needs to be known, especially when it comes to security updates. I just install them as soon as it’s convenient and move on with my life.

Have you actually had security violations?

This is mostly deliberate I’m sure. If Apple publicized the exact nature of some security issues, it would also publicize exactly how to exploit them, likely before users had a chance to fully patch. I think that it’s possible that the more details they share - even whether Ventura is vulnerable or is not - may be enough to give enough information to exploit it.

In response to the 3 replies above, I actually do understand these points and (mostly) agree, although I forgot the Safari detail (thx Adam). I was being a bit whiny to be fair.

I should have said, “Managing security has become a real nightmare.” However, my observation about people being multiple versions behind is true. I cannot speak to the percentage or demographics with accuracy, but I come across that issue more frequently than I should. Sometimes it is user choice, but sometimes not (ie. macOS failing to update XProtect, etc.)

But that mostly leans into the “support of ‘older’ Apple hardware” topic, which Apple loosely defines as 3+ years old. So, I guess we need to use a different scale than “dog years”?

Nothing about iPad OS 18.1.1 which Apple now seems to want installed? I’m still using 17.X.X as earlier recommended.

I’ve moved your post to the comments about the article discussing iOS 18.1.1. It’s fine to install, but you should wait for iOS 18.2, due out any moment.