Apple’s latest collection of security updates has arrived, including the just-launched macOS 13 Ventura, which was accompanied by its own security bulletin listing a whopping 112 CVE-numbered security holes.
Of those, we counted 27 arbitrary code execution holes, of which 12 allow rogue code to be injected right into the kernel itself, and one allows untrusted code to be run with system privileges.
On top of that, there are two elevation-of-privilege (EoP) bugs listed for Ventura that we assume could be used in conjunction with some, many or all of the remaining 14 non-system code execution bugs to form an attack chain that turns a user-level code execution exploit into a system-level one.
iPhone and iPad at real-life risk
That’s not the most critical part of this story, however.
The “clear-and-present danger” prize goes to iOS and iPadOS, which get updated to version 16.1 and 16 respectively, where one of the listed security vulnerabilities allows kernel code execution from any app, and is already actively being exploited.
In short, iPhones and iPads needs patching right away because of a kernel zero-day.
Apple hasn’t said which cybercrime group or spyware company is abusing this bug, dubbed CVE-2022-42827, but given the high price that working iPhone zero-days command in the cyberunderworld, we assume that whoever is in possession of this exploit [a] knows how to make it work effectively and [b] is unlikely to draw attention to it themselves, in order to keep existing victims in the dark as much as possible.
Apple has trotted out its usual boilerplate remark to the effect that the company “is aware of a report that this issue may have been actively exploited”, and that’s all.
As a result, we can’t offer you any advice on how to check for signs of attack on your own device – we’re not aware of any so-called IoCs (indicators of compromise), such as weird files in your backup, unexpected configuration changes, or unusual logfile entries that you might be able to search for.
Our only recommendation is therefore our usual urging to patch early/patch often, by heading to Settings > General > Software Update and choosing Download and Install if you haven’t received the fixes already.
Why wait for your device to find and suggest the updates itself when you can jump to the head of the queue and fetch them right away?
Catalina dropped?
As you might have assumed, given that the release of Ventura takes macOS to version 13, three-versions-ago macOS 10 Catalina doesn’t appear in the list this time.
Apple typically provides security updates only for the previous and pre-previous versions of macOS, and that’s how the patches played out here, with patches to take macOS 11 Big Sur to version 11.7.1, and macOS 12 Monterey to version 12.6.1.
However, those versions also get a separate update listed as Safari 16.1, which fixes several dangerous-sounding bugs in Safari and its underlying software library WebKit.
Remember that WebKit is used not only by Safari but also by any other apps that rely on Apple’s underlying code to display any sort of HTML-based content, including help systems, About screens, and built-in “minibrowsers”, commonly seen in messaging apps that offer an option to view HTML files, pages or messages.
Apple watchOS and tvOS also get numerous fixes, and their version numbers update to watchOS 9.1 and tvOS 16.1 respectively.
What to do?
The good news is that only early adopters and software developers are likely to be running Ventura already, as part of Apple’s Beta ecosystem.
Those users should update as soon as possible, without waiting for a system reminder or for auto-updating to kick in, given the huge number of bugs fixed.
If you aren’t on Ventura but intend to upgrade right away, your first experience of the new version will automatically include the 112 CVE patches mentioned above, so the version upgrade will automatically include the needed security updates.
If you’re planning on sticking with the previous or pre-previous macOS version for a while yet (or if, like us, you have an older Mac that can’t be upgraded), don’t forget that you need two updates: one specific to Big Sur or Monterey, and the other an update for Safari that’s the same for both operating system flavours.
To summarise:
- On iOS or iPad OS, urgently use Settings > General > Software Update
- On macOS, use Apple menu > About this Mac > Software Update…
- macOS 13 Ventura Beta users should update immediately to the full release.
- Big Sur and Monterey users who upgrade to Ventura get the macOS 13 security fixes at the same time.
- macOS 11 Big Sur goes to 11.7.1, and needs Safari 16.1 as well.
- macOS 12 Monterey goes to 12.6.1, and needs Safari 16.1 as well.
- watchOS goes to 9.1.
- tvOS goes to 16.1.
Note that macOS 10 Catalina gets no updates, but we assume that’s because it’s the end of the road for Catalina users, not because it’s still supported but was immune to any of the bugs found in later versions.
If we’re right, Catalina users who can’t upgrade their Macs are stuck with running increasingly outdated Apple software forever, or switching to an alternative operating system such as a Linux distro that is still supported on their device.
Quick links to Apple’s security bulletins:
- APPLE-SA-2022-10-24-1: HT213489 for iOS 16.1 and iPadOS 16
- APPLE-SA-2022-10-24-2: HT213488 for macOS Ventura 13
- APPLE-SA-2022-10-24-3: HT213494 for macOS Monterey 12.6.1
- APPLE-SA-2022-10-24-4: HT213493 for macOS Big Sur 11.7.1
- APPLE-SA-2022-10-24-5: HT213491 for watchOS 9.1
- APPLE-SA-2022-10-24-6: HT213492 for tvOS 16.1
- APPLE-SA-2022-10-24-7: HT213495 for Safari 16.1
SECURITY SOFTWARE AND THE VENTURA UPGRADE PROCESS
Note. Some security products, including Sophos Central Endpoint, may require administrator attention before or after upgrading to Ventura, due to a security lockdown applied by Apple during the operating system upgrade. (An access control setting allowing security products Full Disk Access privileges gets removed, so the affected app may no longer be able to provide the same level of protection it did before.) Specific information for Sophos users, plus some general advice about this issue that you may find useful even if you aren’t a Sophos customer, can be found in Sophos Knowledgebase article KB-000044555.