Apple
has
just
released
updates
for
all
supported
Macs,
and
for
any
mobile
devices
running
the
very
latest
versions
of
their
respective
operating
systems.
In
version
number
terms:
-
iPhones
and
iPads
on
version
16
go
to
iOS
16.3.1
and
iPadOS
16.3.1
respectively
(see
HT213635). -
Apple
Watches
on
version
9
go
to
watchOS
9.3.1
(no
bulletin). -
Macs
running
Ventura
(version
13)
go
to
macOS
13.2.1
(see
HT213633). -
Macs
running
Big
Sur
(version
11)
and
Monterery
(12)
get
an
update
dubbed
Safari
16.3.1
(see
HT213638).
Oh,
and
tvOS
gets
an
update,
too,
although
Apple’s
TV
platform
confusingly
goes
to
tvOS
16.3.2
(no
bulletin).
Apparently,
tvOS
recently
received
a
product-specific
functionality
fix
(one
listed
on
Apple’s
security
page
with
no
information
beyond
the
sentence
This
update
has
no
published
CVE
entries,
implying
no
reported
security
fixes)
that
already
used
up
the
version
number
16.3.1
for
Apple
TVs.
As
we’ve
seen
before,
mobile
devices
still
using
iOS
15
and
iOS
12
get
nothing,
but
whether
that’s
because
they’re
immune
to
this
bug
or
simply
that
Apple
hasn’t
got
round
to
patching
them
yet…
…we
have
no
idea.
We’ve
never
been
quite
sure
whether
this
counts
as
a
telltale
of
delayed
updates
or
not,
but
(as
we’ve
seen
in
the
past)
Apple’s
security
bulletin
numbers
form
an
intermittent
integer
sequence.
The
numbers
go
from
213633
to
213638
inclusive,
with
a
gap
at
213634
and
gaps
at
213636
and
213637.
Are
these
security
holes
that
will
get
backfilled
with
yet-to-be-released
patches,
or
are
they
just
gaps?
What
sort
of
zero-day
is
it?
Given
that
the
Safari
browser
has
been
updated
on
the
pre-previous
and
pre-pre-previous
versions
of
macOS,
we’re
assuming
that
older
mobile
devices
will
eventually
receive
patches,
too,
but
you’ll
have
to
keep
your
eyes
on
Apple’s
official
HT201222
Security
Updates
portal
to
know
if
and
when
they
come
out.
As
mentioned
in
the
headline,
this
is
another
of
those
“this
smells
like
spyware
or
a
jailbreak”
issues,
given
that
the
all
updates
for
which
official
documentation
exists
include
patches
for
a
bug
denoted
CVE-2023-23529.
This
security
hole
is
a
flaw
in
Apple’s
WebKit
component
that’s
described
as
Processing
maliciously
crafted
web
content
may
lead
to
arbitrary
code
execution.
The
bug
also
receives
Apple’s
usual
euphemism
for
“this
is
a
zero-day
hole
that
crooks
are
already
abusing
for
evil
ends,
and
you
can
surely
imagine
what
those
might
be”,
namely
the
words
that
Apple
is
aware
of
a
report
that
this
issue
may
have
been
actively
exploited.
Remember
that
WebKit
is
a
low-level
operating
system
component
that’s
responsible
for
processing
data
fetched
from
remote
web
servers
so
that
it
can
be
displayed
by
Safari
and
many
other
web-based
windows
programmed
into
hundreds
of
other
apps.
So,
the
words
arbitrary
code
execution
above
really
stand
for
remote
code
execution,
or
RCE.
Installjacking
Web-based
RCE
exploits
generally
give
attackers
a
way
to
lure
you
to
a
booby-trapped
website
that
looks
entirely
unexceptionable
and
unthreatening,
while
implanting
malware
invisibly
simply
as
a
side-effect
of
you
viewing
the
site.
A
web
RCE
typically
doesn’t
provoke
any
popups,
warnings,
download
requests
or
any
other
visible
signs
that
you
are
initiating
any
sort
of
risky
behaviour,
so
there’s
no
point
at
which
attacker
needs
catch
you
out
or
to
trick
you
into
taking
the
sort
of
online
risk
that
you’d
normally
avoid.
That’s
why
this
sort
of
attack
is
often
referred
to
as
a
drive-by
download
or
a
drive-by
install.
Just
looking
at
a
website,
which
ought
to
be
harmless,
or
opening
an
app
that
relies
on
web-based
content
for
any
of
its
pages
(for
example
its
splash
screen
or
its
help
system),
could
be
enough
to
infect
your
device.
Remember
also
that
on
Apple’s
mobile
devices,
even
non-Apple
browsers
such
as
Firefox,
Chrome
and
Edge
are
compelled
by
Apple’s
AppStore
rules
to
stick
to
WebKit.
If
you
install
Firefox
(which
has
its
own
browser
“engine”
called
Gecko)
or
Edge
(based
on
a
underlying
layer
called
Blink)
on
your
Mac,
those
alternative
browsers
don’t
use
WebKit
under
the
hood,
and
therefore
won’t
be
vulnerable
to
WebKit
bugs.
(Note
that
this
doesn’t
immunise
you
from
security
problems,
given
that
Gecko
and
Blink
may
bring
along
their
own
additional
bugs,
and
given
that
plenty
of
Mac
software
components
use
WebKit
anyway,
whether
you
steer
clear
of
Safari
or
not.)
But
on
iPhones
and
iPads,
all
browsers,
regardless
of
vendor,
are
required
to
use
the
operating
system’s
own
WebKit
substrate,
so
all
of
them,
including
Safari,
are
theoretically
at
risk
when
a
WebKit
bug
shows
up.
What
to
do?
If
you
have
an
Apple
product
on
the
list
above,
do
an
update
check
now.
That
way,
if
you’ve
already
got
the
update,
you’ll
reassure
yourself
that
you’re
patched,
but
if
your
device
hasn’t
got
to
the
front
of
the
download
queue
yet
(or
you’ve
got
automatic
updates
turned
off,
either
by
accident
or
design),
you’ll
be
offered
the
update
right
away.
On
a
Mac,
it’s
Apple
menu
>
About
this
Mac
>
Software
Update…
and
on
an
iDevice,
it’s
Settings
>
General
>
Software
Update.
If
your
Apple
product
isn’t
on
the
list,
notably
if
you’re
stuck
back
on
iOS
15
or
iOS
12,
there’s
nothing
you
can
do
right
now,
but
we
suggest
keeping
an
eye
on
Apple’s
HT201222
page
in
case
your
product
is
affected
and
does
get
an
update
in
the
next
few
days.
As
you
can
imagine,
given
how
strictly
Apple
locks
down
its
mobile
products
to
stop
you
using
apps
from
anywhere
but
the
App
Store,
over
which
it
exerts
complete
commercial
and
technical
control…
…bugs
that
allow
rogues
and
crooks
to
inject
unauthorised
code
onto
Apple
phones
are
highly
sought
after,
given
that
RCEs
are
about
the
only
reliable
way
for
attackers
to
hit
you
up
with
malware,
spyware
or
any
other
sort
of
cyberzombie
programming.
Which
gives
us
a
good
reason,
as
always,
to
say:
Don’t
delay/Do
it
today.
About Author
