iOS 15.6.1, iPadOS 15.6.1, and macOS 12.5.1 Monterey Address Serious Security Vulnerabilities

Originally published at: iOS 15.6.1, iPadOS 15.6.1, and macOS 12.5.1 Monterey Address Serious Security Vulnerabilities - TidBITS

Evildoers are exploiting a pair of security vulnerabilities in iOS, iPadOS, and macOS 12 Monterey, so Apple has released focused updates to thwart them. Don’t delay, update today.

1 Like

After updating to macOS 12.5.1 I noticed many anomalies, beginning with I had to manually log in to my iCloud account. Eventually I figured out the source of the problems. My user spaces are relocated to avoid using up space on my System SSD. The update broke this relocation. After restoring the proper user spaces things are gong much more smoothly.

Also, after the update “to make the computer more secure” on my MacPro7.1 and my MacBookPro18,2, Silent Knight told me

Software Update found the following new or updated software:

  • Label: XProtectPlistConfigData_10_15-2162
    Title: XProtectPlistConfigData, Version: 2162, Size: 952KiB, Recommended: YES,
  • Label: XProtectPayloads_10_15-71
    Title: XProtectPayloads, Version: 71, Size: 13339KiB, Recommended: YES,

I allowed Silent Knight to install the recommended files. Maybe now my systems are more secure.

Because I don’t run auto-update I’m not sure, so on behalf of a family member: will this update install is she has auto-update turned on, or should she manually install it?

Thanks

Yes, eventually. Probably within 24 hours, but it could take up to 72 hours, which is a mechanism to prevent users from overwhelming Apple’s CDN servers.

The XProtect updates were only released today, so Catalina and above users should receive both at some point within 24-hours. Mojave and below users will only get the first one.

That assumes you have both “Automatically: Check for updates” and “Install system data files and security updates” enabled in System Preferences->Software Updates

So just Monterey?
I wonder if older macOS versions are affected. In attempting to preserve 3 macs with working hardware we are stuck on High Sierra, Catalina and Mojave here.
I never ceases to amaze that hackers seem to bring resources to this that Apple cannot.

1 Like

According to Apple security updates - Apple Support BigSur and Catalina get a Safari update 15.6.1

Yes, so that takes care of the WebKit vulnerability, but not the Kernel flaw.

Probably longer than that. I’ve deliberately waited to see how long it would take for an update to automatically install and it’s been measured in weeks before I was finally prompted.

Here’s what I was told by an Apple Source recently:

It can take an install’s own softwareupdate engine up to 24 hours to become aware of the newest update, and once aware it adds a random delay of up to 72 hours before informing the user that such an update is available (which sudo /bin/launchctl kickstart -k system/com.apple.softwareupdated usually resets). Apple does this to stop the entire planet from pummeling Apple’s servers & CDNs simultaneously.

Perhaps on MacOS, but that’s definitely not true on iOS, iPadOS, or tvOS. I’ve had TVs that are literally months behind on updates, and obviously you’re not going to run a terminal command on any of those platforms.

But anecdotally I know that I had my new M2 Air for two weeks before I was prompted for 12.5 just on Monday (ironically just days before 12.5.1). I hadn’t checked or realized that it was still on 12.4 when I received it. I still have my old 2015 MBA on 12.5; I’ll check later and see if it gets prompted for 12.5.1.

It may be that the XProtect updates were released slightly later, and thus were not part of the larger update. What I did not mention was after detecting the items still needing updating, SilentKnight could not install them until I turned off Caching. The bug still exists.

Just to follow up: yes, within a few hours of turning it back on, the 2015 MBA was prompted to install 12.5.1.

More than slightly. macOS 12.5.1 was released on 2022-08-17T17:22:45Z and the XProtect updates almost a day later at 2022-08-18T16:58:58Z.

You’ll have patiently wait and look for Security Updates for Mojave. The really annoying thing is that the constant Monterey Upgrade nagging (e.g. red dot in Sys Prefs icon) obscures important security updates for older macOS.

2 Likes

The last security update for Mojave was 2021-005 exactly a year ago tomorrow, so I would not be waiting if I were you.

2 Likes

AFAIK? (But what do I know) on older macOS it’s (just?) Safari that needs updating. Going to updates more should show that.

It’s actually WebKit that needs updating, which is used by more than just Safari, so in addition to the Safari app, several frameworks and other supporting files need to be updated(see below). You are correct that for Big Sur and Catalina Software Updates “More…” will show that, but my comment was directed to Mojave for which there haven’t been any updates for a year now.

In response to the advice from Apple and yourself I want to update the iOS on my wife’s iPhone 6s. But my concern is whether it will slow it down too much to be useful. Do I have to update such and old phone?
Robin Helmond