Apple patches 0-days for Mac, iPhone, and iPad

Apple has released security updates that patch 0-days on Mac, iPhone, and iPad. Read on for details about the vulnerabilities, patch instructions, and key takeaways.

What did Apple just patch?

Apple has issued a number of security updates over the past few days:

The security issues addressed here are true 0-days: Apple says it is aware of reports that these flaws “may have been actively exploited.”

There were two different vulnerabilities:

CVE-2023-28205: A WebKit flaw that can allow bad actors to use malicious web content to achieve arbitrary code execution on a target system.
CVE-2023-28206: A vulnerability in IOSurfaceAccelerator that allows a malicious app to execute arbitrary code with kernel permissions.

Both vulnerabilities are addressed in the macOS Ventura 13.3.1 update as well as in the iOS/iPadOS 16.4.1 and 15.7.5 updates. The Safari 16.4.1 update patches the WebKit bug for older versions of macOS (i.e., Big Sur and Monterey), while the macOS Big Sur 11.7.6 and macOS Monterey 12.6.5 updates fix the IOSurfaceAccelerator vulnerability for those OSes.

How to patch the vulnerabilities

If you don’t have automatic updates enabled on your Mac, iPhone, or iPad, you should manually update your system immediately.

Here’s how to run the updates:

macOS Ventura 13.3.1

Go to Apple menu > System Settings > General > Software Update. You should see the 13.3.1 update under Updates Available. Click Update Now and follow the prompts to update your Mac.

macOS Big Sur 11.7.6 and macOS Monterey 12.6.5

Go to Apple menu > System Preferences > General > Software Update. The OS update should be listed under Updates Available. Click Update Now and follow the prompts to update your Mac.

iOS 16.4.1 and iOS 15.7.5

Go to Settings > General > Software Update. You should see the update for your OS here. Tap Download and Install to request the update. Note that you will first have to authenticate yourself to iOS by entering your device password. If you see the Install Now prompt, you must tap this to complete your update.

Safari 16.4.1

On a Mac running macOS Big Sur or Monterey, go to Apple menu > System Preferences > General > Software Update. You will see any available software updates for your Mac here, including the Safari 16.4.1 update. Follow the prompts to update your browser. Note that you may have to enter your administrator password before updating.

Cybersecurity takeaways for Apple users

This latest round of Apple updates offers a couple of important cybersecurity takeaways for Mac users.

First, Apple 0-days are real. We’re well past the old marketing hype about Macs not getting viruses. Mac security threats are out there, and it doesn’t help anyone if we bury our collective heads in the sand and pretend it isn’t happening.

To be clear, Macs and iPhones are well-designed and highly secure computing systems. But they’re still computing systems. Like all such systems, they will have vulnerabilities from time to time. It’s only by recognizing that these threats exist—and by taking them seriously—that we can protect ourselves.

Secondly, it’s important to use all available tools to defend yourself from Mac threats. One of the best of these is automatic updates. 0-days are real…but they are not the most popular attack vector. A far more likely scenario occurs when bad actors take advantage of unpatched known vulnerabilities. If you don’t have automatic updates enabled, turn them on today by following Apple’s support guidance. Be sure to toggle on the Install Security Responses and system files option to receive more frequent security updates via Apple’s new Rapid Security Response feature.

Filed under Apple, Security News

Tags apple, iOS, macOS, security