iOS 15.6.1, iPadOS 15.6.1, and macOS 12.5.1 Monterey Address Serious Security Vulnerabilities

Apple does not force anyone to update any of its devices. And Apple is quite remarkable in the electronics industry for supporting their devices for years longer than other companies. I’ve had my 8+ Since 2017, and I expect upgrades and fixes to be available for it for a while.

Google only supports Android devices for three years:

Personally, I’d rather not risk running into problems because I did not update my Apple devises on a timely basis. To date, Apple has been supporting iPhones and iPads for seven years:

Are these updates in reaction to the vulnerabilities announced in the national news on Friday, 19 Aug 22 or should we expect more updates? What about those of us who are hardware limited to High Sierra? Is Tim just throwing us under the bus?

Unfortunately, I also have an iPad Mini 5 that I can’t take past iOS 14.4.2 due to a critical app that won’t work in 14.4.3 and higher. An updated version is under development but probably won’t be released for several months yet.

Yes, exactly that, as described in About the security content of macOS Monterey 12.5.1 - Apple Support, About the security content of iOS 15.6.1 and iPadOS 15.6.1 - Apple Support and About the security content of Safari 15.6.1 - Apple Support.

Still too early to know for certain, but most likely HS will never receive another update of any kind, beside XProtect. Not clear that other OSs have this vulnerability and fairly certain that Apple did not have time to test other OS versions.

That being said, High Sierra is full of many other vulnerabilities, some perhaps even more serious that these last two. There is precedent for updating legacy OSs, but very rare (I believe only once or twice). And all this goes back much further than Tim Cook’s era.

1 Like

That this update made news headlines everywhere should perhaps not be interpreted as reflecting the seriousness of the bugs fixed. We’ve experienced zero days before and they didn’t get this kind of coverage. Slow news day perhaps it seems. The real message remains unchanged: keep your Macs and devices up to date, particularly with security updates. See here.

I get the impression that most (not all) of the vulnerabilities are with Safari and WebKit.

So if you’re on a Mac that isn’t being updated anymore, consider using a web browser that is still receiving updates for your platform. Like Firefox, Chrome or Edge (which is based on the same Chromium engine that Chrome uses).

It won’t protect you against all vulnerabilities, but may be good enough for your specific situation.

Well, besides Safari, I have Brave, iCab, Opera, Vivaldi browsers installed. I refuse to install Chrome since its primary purpose is to harvest private data for Google. I used to have Firefox ESR but an update a couple of years back trashed it and I couldn’t reinstall it. I’ll try installing the current version of Firefox ESR and see if I can get it to work.

Of course, it’s worth noting that Brave, Opera and Vivaldi are all based on the open source Chromium engine. They’re effectively the same browser, just with different UIs and built-in extensions. (So are Chrome, with Google extensions and Edge, with Microsoft extensions).

Unfortunately, this means there really are only four distinct browsers out there. Firefox (based on Gecko), Safari (WebKit), iCab and lots of different Chromium-based apps.

(Correction: I previously wrote that iCab was end-of-life. I was wrong and was corrected later on in this discussion thread.)

As for Firefox compatibility, the latest version (103.0.2) says that it supports macOS 10.12 (Sierra) and later. So it should work with your High Sierra system. Firefox 103.0.2 System Requirements

In my personal experience, it runs fine on my 2011 MacBook Air (running Sierra), except for a long delay (about a 1 minute timeout) when I try to print (but there are no problems printing from Big Sur). They had fixed that bug about a year ago, but it recently resurfaced. I suspect they don’t have a lot of people testing builds on Sierra.

The latest ESR builds (91.12.0 and 102.1.0) should also work fine. I don’t recall having any problems (other than the above printing delay problem) with 91 or 102 on my Sierra system when they were the latest builds.

2 Likes

As David already mentioned, Firefox 103.02 runs on High Sierra and I use it on an older system which is mainly for music playback but also for some web browsing on a tv and it works fine.

I installed Firefox 91.12.0esr and have imported the bookmarks from Safari. I’ll have to see if this version works as well as the older pre-Chrome versions did.

This war between offenders and potential victims is, unfortunately, a habit.
I have installed the update immediately without any issue for my MacBook Pro 16", but for my Studio Display, this is another matter; all updates are problematic; it took me more than one hour to get my display functional again.
I have written this to the support :

Let me summarize:

  • I have a Studio Display and for the 3rd time the system update is problematic
  • after several restarts and disconnections, I finally got a working screen
  • I had to wait an hour and a quarter and a technician suggested I go to the store myself with a 10 kg package.

Do the problems go back to Cupertino? There are some kicks that get lost…
Steve would have cut off a few heads!
Upgrading a screen with an A11 processor is the same as upgrading an iPhone or an iPad; fortunately we don’t have to bring back hundred of millions devices in stores

The problem has been solved but I would like the next update to go well.
Do you report the problems so that the errors don’t happen again?

Am I alone with those issues ?

Just to provide a data point, I’ve only undergone one needed firmware update for my new Studio Display, to Version 15.5 (Build 19F80). I had no issues, and the update took about five minutes to complete. So your experience isn’t universal, but I have no idea how common either of our experiences are among Studio Display owners.

Happy for you !
At previous issue, Apple support proposed to me to change my display because it was within 2 months after reception.
I did not want because I hate the waste of resources ; I perhaps should have accepted…

Brave may be based on Chromium but it is a very different animal than Chrome or any other related Web browser. . .

Brave is a privacy/security-oriented browser that right out of the box is very good at its default settings. Users can tweak Brave settings to make it even better. And it is compatible with privacy and security extensions that work with Chromium browsers, so you can add old favorites that quit working when Safari 13 was introduced.

I have used Brave a lot and while I have had various issues with it, security hasn’t been one of them.

The iCab site still shows it as current with version 6.1.4 usable back to Mac OS 10.13:

https://www.icab.de/download.html

My bad. I misunderstood the Wikipedia page. It says the classic MacOS version (not the whole product) was discontinued in 2008.

For some reason, that page mentions Classilla (an unrelated product) as the last Classic MacOS browser, which was discontinued in 2021. It seems to me that that line shouldn’t be on the iCab page at all.

I am having similar problems, but I don’t understand your explanation and solution. thank you

In System Preferences / Users & Groups, Control-Click a User to open Advanced Options. The Choose… button allows you to designate a Home Directory other than the default. My User Space is huge because I have many photos and movies, so to save space on my System Disk I relocate it to the Pegasus RAID.

It seems the update to 12.5.1 reverted this customization back to default, sort of. The System could not find my actual User Space, so instead it showed me the unmodified space of a new user. In the Finder, an alias pointing to the Pegasus was created along side the actual Pegasus icon. In the Users & Groups Advanced Options panel, below Home Directory is a box for Aliases. After the update to 12.5.1 this box contained an alias. When I deleted the alias from the box, the alias in Finder which pointed to the Pegasus array disappeared.

A major symptom of this issue was I could not log on to my user space. When I tried, after a delay I would get an error dialog informing me “You cannot log into your user space because an error occurred”.

Restoring the link to the relocated user space seems to fix the problem. I am not confident this is a full solution. I am pretty sure I renewed the relocation earlier, but today it needed restoring again. I wonder if the security enhancements of the 12.5.1 update disable user space relocation. If anyone knows, I would appreciate the information. I will also ask Apple.

1 Like

thank you very much. Very interesting. Sorry for having created more work for you to write such a detailed reply.

Just checked my 15" Mid-2015 MacBook Pro and Software Update says I’m completely up-to-date with MacOS 12.4. Did the 12.5 & 12.5.1 updates drop the 2015 models?

The bug introduced in 12.5.1, where relocated user spaces cannot be used to start up the Mac, remains after the update to 12.6. This issue has been reported by several others: Unable to login with user folder on external drive since 12.5.1 upgrade.

I tried to submit a support request to Promise, maker of my RAID where my user space is located, and discovered another bug probably introduced by 12.5.1. Promise provides support via a web page created in response to each user’s request. I could not get support because this web page would not open. I do not know what caused that issue, but after updating to 12.6 the support page again works.

Now I will file a bug report with Promise, and a Feedback Assistant report with Apple. I have already discussed this issue with Apple support. At that time (running macOS 12.5.1), Apple had no suggestion for how to eliminate the problem, nor did they say this was now intended behavior. That is to say, as I understood what they were telling me, relocated user spaces should still work.