iOS 16.3, iPadOS 16.3, macOS 13.2 and watchOS 9: Apple has again patched numerous security holes with the updates provided on Monday evening. Once again, bugs are included that allow malicious code to be executed with kernel privileges – albeit not remotely, according to Apple (remote exploit). In addition, older operating system versions were also updated with security fixes.
Bugs in many areas
iOS 16.3 and iPadOS 16.3 fix security issues in a total of 15 areas. Apple is currently not commenting on three of the bugs, they are only mentioned with credits. The kernel, AppleMobileFileIntegrity, Safari, Screen Time and the WebKit browser engine are among those affected. Bugs in WebKit also allowed attacker websites to run code, albeit not with kernel privileges.
The bug in screen time allows contacts to be read out, the weather and map apps allow privacy settings to be bypassed. There was an issue in Mail where forwarded Exchange messages could go to the wrong addressees. ImageIO contained a denial of service vulnerability.
macOS 13.2 fixes security problems in a total of 26 areas of the operating system. Apple does not detail four of these bugs – in Bluetooth, the kernel, the shortcuts and WebKit. In addition to the vulnerabilities also included in iOS (AppleMobileFileIntegrity, ImageIO, Kernel, Mail, Maps, Screen Time, Weather, WebKit and Safari), the manufacturer also addresses bugs in curl, dcerpc, Intel graphics drivers, Windows Installer, DiskArbitration, libxpc, PackageKit and even Vim on. Again, there are bugs that allow malicious code to be executed, sometimes with kernel privileges.
The bug in DiskArbitration meant that an encrypted drive could sometimes be read by other users. According to Apple, remote exploit options have not been fixed.
watchOS 9.3 – and a missing tvOS 16.3
Finally, watchOS 9.3 for the Apple Watch also contains a number of patched security holes. Here they are almost a dozen – all errors that have already been fixed in the other updates, some are not explained in detail here either. Unpleasant: Apple has not yet provided tvOS 16.3, nor has HomePod OS 16.3.
It can be assumed that both updates also contain various security fixes that are still available without the updates being made available, but have already been documented by Apple and therefore offer a target for attack. It is not yet clear when tvOS 16.3 and HomePod OS 16.3 will appear. Both systems were actually expected this week.
(bsc)
