Apple Updates All Active Operating Systems to Block Exploited Security Vulnerabilities

ace · June 21, 2023, 7:12pm

Originally published at: Apple Updates All Active Operating Systems to Block Exploited Security Vulnerabilities - TidBITS

Updates to new and old versions of macOS, iOS, iPadOS, and watchOS address kernel and WebKit security vulnerabilities actively exploited in the wild. Install them as soon as you reasonably can.

macanix · June 22, 2023, 3:25pm

For those getting the “base build is not compatible for this install” error, my workaround is to do re-install of Ventura (I have a M1 MacbookPro, but its managed by work/jamf, and I suspect until Apple fixes the updater, best solution was to boot into Recovery mode an install Ventura). It put 13.4.1 and updated.

Seems some get it, some don’t.

alvarnell · June 23, 2023, 6:26am

RISK:

Government:
Large and medium government entities: HIGH
Small government: MEDIUM

Businesses:
Large and medium business entities: HIGH
Small business entities: MEDIUM

Home Users: LOW

ace · June 23, 2023, 9:39pm

Thanks! I wonder how they come up with those Low/Medium/High rankings.

jweil · June 23, 2023, 9:40pm

Ventura update 13.4.1 temporarily broke my MacPro Desktop computer. After installing the update many of my menu items hung or would not work after the machine rebooted from the update. To fix it I simply restarted the machine from “Restart” under the Apple Menu. Based on this experience I strongly advise users to immediately restart their machines after installing the 13.4.1 security update if they expect their machines to properly function after the install. So much for proper SQA before release!

alvarnell · June 24, 2023, 7:56am

I would assume it’s based on who they know has been targeted so far.

josehill · June 24, 2023, 2:17pm

I can’t track down the methodology at the moment, but IIRC, they have a scoring system that includes things like ease of exploit, potential damage from an exploit, prevalence of an exploit, infrastructure targeted by the exploit, and so on. Of course, there’s a certain amount of subjectivity involved, but they end up with a numeric score that gets translated to the qualitative “low, medium, and high” risk assessments.

The published risk assessments are intended to be very general guidelines for classes of users rather than particular users. It’s important that people and organizations perform their own risk assessments based on their actual installed software, hardware, and configurations.

For example, there might be an advisory that classifies a vulnerability in a particular Cisco router as a high risk for enterprises and a low risk for home users, but if you happen to be a home hobbyist who picked up that router at a surplus sale, you probably would have at least medium risk, i.e. the vulnerability might be easily exploited, but it is less likely that you would be targeted as an individual than as a large enterprise.

ace · June 26, 2023, 8:31pm

Howard Oakley is reporting that these security fixes are related to malware that Kaspersky is terming “Triangulation” that uses a malicious iMessage to compromise a device. I haven’t had time to read up on it yet, but he says that it has been around since 2019, when Mojave and Catalina were current, so they may be affected as well and aren’t receiving security fixes anymore.

romad · June 27, 2023, 1:25am

Doing them for the last couple of hours.

MacBook Pro 15" Mid 2015: Done took just over an hour

iPhone 12: Done took about 1/2 hour

 Watch: Doing says it’ll take 2 hours

iPad Mini 6: Done took about 25 minutes

alvarnell · June 27, 2023, 3:35am

https://www.intego.com/mac-security-blog/apple-patches-vulns-used-to-infect-russian-iphones-with-triangledb-malware/

2 of the 3 vulnerabilities had been used in targeted attacks to install TriangleDB malware on iPhones in Russia.

romad · June 27, 2023, 2:48pm

Most likely by the FSB, and/or GUSP. Of course, Putin’s new Soviet Russia is blaming these United States!

BTW, while reading that article, I saw another that supposedly will let me install MacOS 12.6.7 on my mid-2011 iMac & MacBook Air to get the latest security updates. How to Install macOS Sonoma on Unsupported Macs, for Security Improvements - The Mac Security Blog

nathanschwam · June 27, 2023, 5:08pm

So, for a late-2012 Mac Mini that can’t go beyond Mojave, I should be ok as long as I remain careful about suspicious links in texts.imessages? And I do get weird texts now (purporting to be from the Post Office) that I ignore.

ddmiller · June 27, 2023, 5:58pm

While this does seem to be a targeted attack, the post above mentions that this is delivered by an “invisible” message, which leads me to believe that it’s zero-click - just having the message delivered may cause the exploit to get triggered. So perhaps to be extra-careful, don’t use iMessage on a vulnerable OS, and don’t have text messages delivered to that computer as well?

Like I said - these were targeted to Russians supposedly, but I always worry that once the word is out, somebody else will figure it out, so it’s probably for the best to be cautious if you have no other choice but to use Mojave?

josehill · June 27, 2023, 9:18pm

Post office text message scams are pretty common. It’s just another flavor of spam.

Regarding your 2012 Mini, it is supported through Catalina, though of course it’s possible that you have software that doesn’t work with Catalina.

richard.peach · June 28, 2023, 4:39am

The YouTube Channel Mr. Macintosh also publishes regular good walkthroughs on installing & upgrading OpenCore Legacy Patcher.