Update Now: Apple Ships Fixes for Zero

It's Patch Monday at Apple, with the company pushing out security updates for all of its platforms at once. And to judge from the release notes for its Mac, iPhone, and iPad updates, you should install these fixes as soon as possible.

The common risk addressed by updates now available for iOS 16, iPadOS 16, macOS Ventura and the current edition of Apple's Safari (available for the preceding Big Sur and Monterey versions of macOS) is a vulnerability in the WebKit framework inside that browser.

"Processing maliciously crafted web content may lead to arbitrary code execution," warns the relevant part of the release notes for iOS/iPadOS 16.3.1(Opens in a new window), Safari 16.3.1(Opens in a new window), and macOS 13.2.1(Opens in a new window). "Apple is aware of a report that this issue may have been actively exploited."

In plainer English, that means that going to the wrong website can put malware on your machine, and an Apple customer somewhere in the world has probably learned about this the hard way. Those notes say that Apple fixed the "type confusion issue" at fault "with improved checks."

The iPhone, iPad, and Mac patches also close a common kernel vulnerability that could let an app "execute arbitrary code with kernel privileges," while the Mac fix addresses a bug that an app could exploit to "observe unprotected user data." There's no mention of those issues being actively exploited.

The software-update dialogs shown on an iPhone, iPad, or Mac are much less specific, falling back on the usual vague descriptions of "security improvements and bug fixes" (as shown for the Safari patch on a Mac mini running macOS Monterey) and "bug fixes and security updates" (on an iPad mini 6). Once again, those dialogs do not link to the release notes for each patch and instead point to Apple's list of security updates(Opens in a new window)—a dusty bookshelf of a page indexing patches going back to Jan. 8, 2020.

Note that while Apple has been testing a "Rapid Security Response" system(Opens in a new window) to ship iOS and iPadOS fixes that can be applied without having an iPhone or iPad be left unusable for several minutes during an install-and-reboot cycle, Monday's patches will still demand some patience on the part of users.

Apple also shipped updates for the Apple TV's tvOS and the Apple Watch's watchOS, but Apple had not posted release notes for those patches as of late Monday afternoon.

Apple users should be used to this routine, as the company has had to patch "zero-day" bugs frequently in recent years. Last year, for example, August and September saw separate rounds of releases to fix vulnerabilities that Apple said could already have been weaponized.

The company has reason to be paranoid, having seen how such well-funded attackers as the Israeli firm NSO Group have exploited iOS glitches to target iPhones. In 2021, Apple sued that company, seeking to have US courts ban it from using its software and services.

Sign up for our Weekly Apple Brief for the latest news, reviews, tips, and more delivered right to your inbox.

This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.

Your subscription has been confirmed. Keep an eye on your inbox!