On Friday, April 7, Apple released emergency security updates for macOS Ventura, iOS and iPadOS 16, and Safari to address two “actively exploited” (zero-day, in the wild) vulnerabilities.
Let’s examine what we know about the two vulnerabilities that Apple mitigated.
In this article:
- macOS Ventura 13.3.1, iOS 16.4.1, and iPadOS 16.4.1
- Safari 16.4.1 for macOS Monterey and Big Sur
- Key takeaways
- How can I learn more?
macOS Ventura 13.3.1, iOS 16.4.1, and iPadOS 16.4.1
Two highly critical vulnerabilities were addressed in this update:
Impact: An app may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.
Description: An out-of-bounds write issue was addressed with improved input validation.
CVE-2023-28206: Clément Lecigne of Google’s Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International’s Security Lab
Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
Description: A use after free issue was addressed with improved memory management.
WebKit Bugzilla: 254797
CVE-2023-28205: Clément Lecigne of Google’s Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International’s Security Lab
There aren’t yet any additional details about the vulnerabilities on the MITRE or NIST databases, and there are no clear connections yet on the Google TAG or Amnesty International blogs, but more details might be forthcoming:
- MITRE: CVE-2023-28205 • NIST: CVE-2023-28205
- MITRE: CVE-2023-28206 • NIST: CVE-2023-28206
- Google TAG Blog • Amnesty International Tech Blog
Apple links to the details of the security patches included in macOS Ventura 13.3.1 and iOS 16.4.1 and iPadOS 16.4.1 on the Apple security updates page on its site.
There is no word yet on whether Ventura 13.3.1 may also fix the bug that Apple reportedly introduced in 13.3 that affects users whose Home folder is stored on an external drive. Users with this uncommon configuration have reported receiving the message, “You are unable to log into the user account ‘[username]’ at this time. Logging into the account failed because an error occurred.” If you don’t have your Home directory on an external storage device, then you don’t need to worry about this bug; it’s important to install the latest macOS Ventura update to address the aforementioned critical security vulnerabilities.
Macs running macOS Ventura can get this update by going to System Settings > General > Software Update.
If your Mac is still running macOS Mojave, Catalina, Big Sur, or Monterey, and your Mac is compatible with macOS Ventura, you can upgrade to macOS Ventura by going to System Preferences > Software Update. If your Mac is running macOS High Sierra or older and is compatible with macOS Ventura, look for macOS Ventura in the Mac App Store and download it from there.
For optimal security, we advise all Mac users to upgrade to macOS Ventura if your Mac supports it—or you may even be able to run macOS Ventura on an unsupported Mac, at your own risk.
If you have an iPhone or iPad that’s compatible with iOS or iPadOS 16, the update can be obtained by going to Settings > General > Software Update on your device.
Safari 16.4.1 for macOS Monterey and Big Sur
A corresponding Safari 16.4.1 update for macOS Monterey and macOS Big Sur was also released.
However, the Safari update only addresses one of the two vulnerabilities, namely CVE-2023-28205, the WebKit issue.
It isn’t yet known whether or not the other vulnerability, CVE-2023-28206, also affects macOS Monterey and Big Sur; if so, the two older Mac operating systems may remain vulnerable. Such would not be an unprecedented occurrence; Apple frequently leaves previous macOS versions not fully patched.
Nice work, all!