Apple
Apple has released new minor updates for iOS 16, macOS 13 Ventura, and most of its other actively supported operating systems that fix a pair of serious security bugs that the company says “may have been actively exploited.” You should install the iOS and iPadOS 16.5.1, macOS 13.4.1, and watchOS 9.5.2 updates at your earliest convenience, if you haven’t already.
One of the vulnerabilities, CVE-2023-32434, is a kernel-level flaw that can allow apps to “execute arbitrary code with kernel privileges.” The other, a WebKit bug labeled CVE-2023-32439, can allow the execution of arbitrary code after processing “maliciously crafted web content.”
The iOS and iPadOS 16.5.1 updates also fix a non-security bug “that prevents charging with the Lightning to USB 3 Camera Adapter.”
The updates aren’t just coming to iPhones, iPads, and Macs running the latest operating systems. Updates fixing the same bugs have been released for iOS and iPadOS 15, plus macOS versions 11 and 12 (via both macOS and Safari updates). Apple also released an update fixing the kernel bug for watchOS 8, which was the last version of the OS that supported the Apple Watch Series 3 (plus newer watches paired to older iPhones that can’t update to iOS 16). Updates for older versions of watchOS are exceedingly rare, highlighting the severity of any kernel-level security flaw.
The iOS and iPadOS 15.7.7 updates also fix a third closely related WebKit bug that allows remote code execution when processing web content, CVE-2023-32435.
Apple introduced a new feature called Rapid Security Response in iOS 16 and macOS 13 that allows for quicker patching of some security bugs, and the company released its first Rapid Security Response updates last month. The WebKit flaws patched today may have been patchable using the Rapid Security Response mechanism, but kernel-level security flaws will still require standard OS updates.
Apple is currently testing the next major releases of all its operating systems, including macOS 14 Sonoma and iOS 17. The company released the second beta builds of those operating systems to developers yesterday and is expected to release public beta versions sometime in July. In the meantime, non-developers who want to risk running beta software on hardware for testing can install the developer betas this year without paying the typical $99 for a developer account.
