iOS 16.4.1, iPadOS 16.4.1, and macOS Ventura 13.3.1 fixes two actively exploited security issues
Apple has released the iOS 16.4.1, iPadOS 16.4.1, and macOS Ventura 13.3.1 updates to all users. They come with important security fixes for two actively exploited issues.
iOS 16.4.1, iPadOS 16.4.1, and macOS Ventura 13.3.1 fixes 0-day issues
The first security flaw is related to the IOSurfaceAccelerator. Apple notes that the bug could have allowed an app to execute malicious code with kernel privileges. The vulnerability, which has been recorded as CVE-2023-28206, has been described as an out-of-bounds issue, and that it was fixed by improving the input validation.
The other vulnerability, that has been identified under CVE-2023-28205, affects WebKit, which is the browser engine used in Apple Safari and also to power web apps on iPhones, iPads, and Macs. This bug could have allowed malicious web pages to execute remote code. Apple says that it improved the memory management to patch the use after free issue.
Please refer to the security issues page on Apple's website for more details about the issue.
Safari 16.4.1 for macOS Big Sur and Monterey
Apple has also patched the 2nd vulnerability by releasing the Safari 16.4.1 update, which is available for macOS Big Sur and Monterey.
Both zero-day vulnerabilities were discovered by Clément Lecigne of Google's Threat Analysis Group, and Donncha Ó Cearbhaill of Amnesty International’s Security Lab. Apple has acknowledged that the two security flaws may have been actively exploited by hackers.
Other fixes in iOS 16.4.1
The release notes for the latest version states that the software update fixes an issue related to Siri, the personal assistant was not responding to commands in some cases. iOS 16.4.1 also patches a problem with one of the new emojis that was introduced in the previous update. The Pushing hands emoji did not display options for skin tone variations, it now works correctly in the latest update. This issue has also been fixed on Mac.
Apple's System Status page indicates that problems related to the Weather app have been resolved. It seems to work fine for me, but some users claim that the app still does not load the data properly.
macOS 13.3.1 fixes Apple Watch Unlock issue
Apple released macOS Ventura 13.3 about 2 weeks ago with several security fixes. Unfortunately, it also broke a few things. One of these issues prevented Apple Watch users from unlocking their connected Mac automatically. The macOS 13.3.1 update's release notes mentions that this problem has been fixed. Some users have reported that the update also fixes the Universal Control and Handoff issue that affected people who updated to macOS Ventura 13.3.
The iOS 16.4.1 update is available for the iPhone 8 and later, while the iPadOS 16.4.1 update is available on iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later.
It is rather unusual for an OS update to land during a holiday weekend, but given the nature of the security issues, it is understandable. If you haven't done so already, go to the Settings > General > Software Update section to check for the update manually on your iPhone, iPad or Mac. Users on macOS Big Sur and Monterey can also do the same to get the latest version of Safari.
Thanks @Ashwin for the article! :]