Apple patches two zero-day threats in iOS 16.6, macOS 13.5 and iPadOS 16.6
Apple has released iOS 16.6, macOS 13.5 and iPadOS 16.6. The updates patch a number of security issues, including two actively exploited vulnerabilities.
You may be aware that Apple had released a Rapid Security Response (RSR) update for the three operating systems, i.e. iOS 16.5.1 (c), iPadOS 16.5.1 (c), and macOS 13.4.1 (c), a couple of weeks ago. The zero-day threat, which was tracked under CVE-2023-37450, could have allowed arbitrary code execution in web pages. Apple addressed the bug by improving some checks. The Cupertino company had initially pulled the updates after many users had reported that the new firmware prevented Safari from working on some websites including Facebook, Instagram, Zoom to name a few. However, Apple resumed the updates after fixing the problem. If you had not installed the RSR update, don't worry, the same security fix is included in iOS 16.6, macOS 13.5 and iPadOS 16.6.
Another critical zero-click exploit fixed in iOS 16.6, macOS 13.5 and iPadOS 16.6
A total of 16 security issues in iOS and iPadOS, and 29 bugs in macOS, were discovered to affect various parts of the operating systems. One of the two critical vulnerabilities that iOS 16.6, macOS 13.5 and iPadOS 16.6 ship with is the same that I described above. The other zero-day vulnerability was tracked as CVE-2023-38606. According to the release notes that the company has published on its support portal, the exploit could allow apps to modify sensitive kernel state. Apple says it affected versions of iOS that were released before iOS 15.7.1. It has resolved the issue by improving the state management in the operating systems. Apple has credited Valentin Pashkov, Mikhail Vinogradov, Georgy Kucherin, Leonid Bezvershenko, and Boris Larin of Kaspersky Labs for discovering and reporting the issue. The security researchers had published a paper about the exploit which affected iMessage, they had termed the zero-click threat as Operation Triangulation.
The iOS 16.6 update is available for the iPhone 8 and later, while the iPadOS 16.6 update is available for the iPad Pro (3rd generation) and later, iPad Air (3rd generation) and later, and iPad mini (5th generation).
Please refer to the change log for macOS 13.5 Ventura, iOS 16.6 and iPadOS 16.6 to learn more about the other bugs that were patched in the operating systems.
macOS 13.5 Ventura fixes Mac Pro hard drive issue
A month ago, users of the 2023 Mac Pro had some trouble with their internal SATA hard drives, they would disconnect unexpectedly when the device wakes from sleep. The issue would occur if the user put the Mac to sleep or if the computer entered sleep mode automatically. Users who were affected by the issue saw a 'disk not ejected properly' error. Apple had acknowledged this as a known issue. macOS 13.5 Ventura fixes the problem, so if you were affected by the issue, you should install the latest update to resolve it.
Apple Safari 16.6, macOS Monterey 12.6.8, macOS Big Sur 11.7.9, iOS 15.7.8 and iPadOS 15.7.8
The Safari 16.6 update has also been released for macOS Big Sur and macOS Monterey, with security fixes for various WebKit related issues. The other security patches, including fixes for the zero-day threats, are shipping with macOS Monterey 12.6.8 and macOS Big Sur 11.7.9, they are getting 15 and 10 security patches respectively. iOS 15.7.8 and iPadOS 15.7.8 are now available for the iPhone 8 and later, iPad Pro (3rd generation) and later, iPad Air (3rd generation) and later, and iPad mini (5th generation). The updates contain fixes for 10 security issues. Apple is also rolling out tvOS 16.6 and watchOS 9.6 for eligible devices with various fixes.
The company is not expected to add any new features in its current operating systems. Instead, they will be included in the next-gen versions, i.e. iOS 17, iPadOS 17, macOS 14 Sonoma and watchOS 10, which will be released in Fall 2023.
Oh no, is Apple trying to compete with Google for the title of “sloppiest group of coders who put their customers most at risk”??
Most Ghacks readers are probably too young to remember, but when Windows viruses were new in the 1990s, whenever anyone got a virus and started to tell their friends, someone would always retort, “Get a Mac”, because of the feeling at the time that Macs were invulnerable to malware.
WebKit has been crap of late. Either the WebKit team is getting sloppy or the hackers are focussing more on WebKit lately. Probably the later but not really sure.