Security & Privacy + Security News
March 31st, 2022 by
Jay Vrijenhoek and Joshua Long
On Thursday this week, Apple released updates to the current versions of its operating systems—including fixes for two “actively exploited” vulnerabilities. Let’s take a look at what these updates have to offer in terms of security patches.
macOS Monterey 12.3.1
Apple’s latest Mac operating system update is available for all supported Macs currently running macOS Monterey. According to Apple, “macOS Monterey 12.3.1 includes bug fixes and security updates for your Mac.”
Only two security-related patches are known to be included in this update, but both of them are quite serious and require urgent patching:
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: An out-of-bounds write issue was addressed with improved bounds checking. Apple is aware of a report that this issue may have been actively exploited.*
CVE-2022-22675: an anonymous researcher
Intel Graphics Driver
Impact: An application may be able to read kernel memory
Description: An out-of-bounds read issue may lead to the disclosure of kernel memory and was addressed with improved input validation. Apple is aware of a report that this issue may have been actively exploited.*
CVE-2022-22674: an anonymous researcher
Given that these security vulnerabilities have been actively exploited in the wild, it was necessary for Apple to release this update just two weeks after macOS Monterey 12.3.
For the full list of security patches included in macOS Monterey 12.3.1, have a look here.
This update also addresses the following non-security issues:
- Bluetooth devices, such as game controllers, may disconnect from your Mac after playing audio through some Beats headphones
- USB-C or Thunderbolt external display does not turn on when connected to Mac mini (2018) as a second display
- Some 2021 MacBook Pro models cannot update or restore to macOS Monterey 12.3 (affects 14″ and 16″ 2021 models)
- Resolves an issue where a software update may become stuck at an Apple logo and progress bar (for enterprise customers)
You can get this update by going to System Preferences > Software Update, where compatible Macs running macOS Mojave or newer will see the Monterey update appear. If your Mac is running High Sierra or older, look for macOS Monterey in the App Store and download it from there.
Whither macOS Big Sur and macOS Catalina updates?
Notably, Apple did not release any updates for macOS Big Sur or macOS Catalina, the two previous versions of macOS. Apple typically releases some, but not all, security updates for the “n minus 1″ and “n minus 2″ major macOS versions.
Intego’s Chief Security Analyst, Josh Long, discovered last year that even actively exploited vulnerabilities that affect older versions of macOS do not necessarily get patched for those older macOS versions. See our article, “Apple’s Poor Patching Policies Potentially Make Users’ Security and Privacy Precarious.”
Apple’s Poor Patching Policies Potentially Make Users’ Security and Privacy Precarious
It is not known whether the two in-the-wild vulnerabilities that Apple addressed in macOS Monterey 12.3.1 may also be exploitable in Big Sur or Catalina. Given that both vulnerabilities were reported anonymously, and that Apple has not given much detail about them, we may never know, unless Apple releases corresponding patches at a later date.
Intego has reached out to Apple to inquire as to whether Big Sur or Catalina are impacted by either of the actively exploited vulnerabilities. This article will be updated if Apple responds, or if Apple releases corresponding patches for one or both of the older macOS versions.
iOS 15.4.1 and iPadOS 15.4.1
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
iOS 15.4.1 includes bug fixes and security updates for your iPhone and is recommended for all users.
Only a single security fix is known to be included with this update: the same “actively exploited” AppleAVD issue that was addressed in macOS Monterey. Users should update quickly to iOS and iPadOS 15.4.1 to stay safe from the in-the-wild vulnerability.
This update also includes the following non-security bug fixes:
- Battery may drain more quickly than expected after updating to iOS/iPadOS 15.4
- Braille devices may become unresponsive while navigating text or displaying an alert
- Made for iPhone/iPad hearing devices may lose connection within some third-party apps
User complaints about reduced battery life after an iOS update are nothing new. Often when an iOS or iPadOS update is released, social media and forum posts will claim that the update has reduced battery life. In some cases, simply restarting the device may fix the problem. To have a battery drain issue acknowledged by Apple is refreshing, and to have a software fix available just two weeks after 15.4 rolled out is certainly nice.
Unfortunately, it may take up to 1–4 weeks for any new iOS or iPadOS version to roll out to customers (as discussed on this week’s Intego Mac Podcast episode, number 233), unless users pay attention to third-party Apple or security news sources like Intego’s The Mac Security Blog and manually check for new updates when they’re released.
Given that Apple’s new Studio Display runs a full version of iOS 15.4, it is currently not known if the 15.4.1 update is available for the display as well, or if it even needs it. With a software fix for the poor webcam quality from those displays forthcoming, coupled with the current security vulnerability in 15.4, we will soon find out how Apple plans to deliver software updates to the displays.
Details about the security issue addressed in iOS and iPadOS 15.4.1 can be found here.
Available for: Apple Watch Series 3 and later
The new watchOS 8.5.1 update “includes security updates and bug fixes for your Apple Watch.” However, Apple says that the update “has no published CVE entries” (i.e. no publicly disclosed vulnerabilities) at the time of writing.
It is unclear whether this means that Apple mistakenly used boilerplate text (or intentionally used boilerplate text in case users are updating from a watchOS version older than 8.5, since 8.5.1 includes all the security fixes found in 8.5). It may also imply that watchOS 8.5.1 includes fixes for security issues that have not been given a CVE number.
Intego has inquired of Apple whether or not watchOS 8.5.1 contains non-CVE security fixes. This article will be updated if Apple responds.
To install this update, make sure your iPhone is up to date first, both your phone and watch are connected to the same Wi-Fi network, and the watch has at least a 50% charge. Then open the Watch app on your phone and tap General > Software Update.
Available for: Apple TV 4K and Apple TV HD
Apple notes “This update includes stability improvements when setting up or restoring your Apple TV,” but does not provide any further details. The Apple security updates page states that the update “has no published CVE entries,” and currently does not list any security issues addressed in this update.
The tvOS update can be downloaded directly from the Apple TV by going to Settings > System > Update Software.
Apple’s rarely-mentioned audioOS operating system for HomePod also received an update. Apple has never mentioned audioOS on its security updates page, so it is unclear whether any security issues were addressed in this week’s update.
HomePod updates are generally not urgent, and they are supposed to install automatically. However, if you would like to update your HomePod or HomePod mini’s operating system manually, you can go into the Home app on your iPhone or iPad, then tap the House icon > Home Settings > Software Update > temporarily disable (toggle off) Install Updates Automatically > then tap Install. After updating, remember to re-enable the Install Updates Automatically setting.
Whenever an Apple update addresses an “actively exploited” security issue, it is important to install the update as soon as you can. Thus, you should definitely prioritize installing this week’s macOS Monterey, iOS, and iPadOS updates. This week’s watchOS, tvOS, and audioOS updates are not as urgent.
Whenever you’re preparing to update iOS, iPadOS, or macOS, always back up your data before installing any updates. This gives you a restore point if something does not go as planned.
See also our related article on checking your macOS backups:
How to Verify Your Backups are Working Properly
How can I learn more?
Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, security and privacy stories, and offer practical advice on getting the most out of your Apple devices.
This week, in episode 233, Josh and Kirk discussed why iOS updates—including ones containing critical security fixes for actively exploited vulnerabilities—can take up to four weeks to roll out to users. Be sure to follow the podcast to make sure you don’t miss any episodes!
You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels:
About Jay Vrijenhoek
Jay Vrijenhoek is an IT consultant with a passion for Mac security research.
View all posts by Jay Vrijenhoek →