PSA: Make Sure to Update, iOS 16.6.1 and macOS 13.5.2 Address Actively Exploited Vulnerability

[coolfactor]

So what's the difference between these updates and the automatic behind-the-scenes thing that is supposed to keep us all safe without us having to do anything?

It's unclear when Apple decides to issue Rapid Security Response (RSR) updates.

You can read more here:

About Background Security Improvements for iOS, iPadOS, and macOS - Apple Support (CA)

Background Security Improvements delivers additional security protections between software updates.

support.apple.com

And the list of releases here:

Apple security releases - Apple Support (CA)

This document lists security updates and Rapid Security Responses for Apple software.

support.apple.com

The last RSR update was mid-July. Sounds this exploit fix in today's update should have been issued as an RSR, too.

 

[CharlesShaw]

Updating takes ... 10 minutes of your life? A decade ago, that could've been an hour or two.

M1 iPad was quick, iPhone 12 less quick, and updating anything on the Watch takes time. My 2018 Mac takes a while too.

 

[pshufd]

I'm going to update my test M1 mini, and run my workflow to ensure it doesn't break me and then upgrade my other Macs. I hope that this gets fixed in Monterey as well as I'm running that on two of my Macs.

 

[k1121j]

For those of us who are stuck on an unsupported Mac OS version due to financial reasons, any details on how this image exploit is used so we can try to avoid it? Is it as simple as someone emailing you an image embedded into the body? Or an attachment you have to open?

Open Core works great on my 2016 MBP

 

[now i see it]

I'm running iOS 12 and that's as far as I can go

 

[nilk]

Updating takes ... 10 minutes of your life? A decade ago, that could've been an hour or two.

Takes more time than that for me, but security is way too important, so a half hour ago I was frantically running around the house starting updates on all my Apple devices and the ones my family members will let me update, and I'm going back around making sure they started (need to do this because e.g. iTerm2 stopped one from restarting). Had to clear some space on two of the ipads because there wasn't room for the update.

Waiting around for two weeks while being vulnerable to a remote code execution vulnerability that can be easily fixed with a software update seems... unwise. At least schedule it to do the update tonight if you're not going to do it right now. I often do that with my iPhone on days when I don't want to go without cellular during the day (long press the update button for that). This time I didn't wait.

 

[antiprotest]

Confirming safe to install on iPhone, iPad, and Mac. At least for my devices.

 

[antiprotest]

I'm running iOS 12 and that's as far as I can go

Hackers' paradise. But honestly I'm not judging. Good luck.

 

[Icelus]

Seems it was reported at least 16 days ago.

CVE - CVE-2023-41064

 

[thawk9455]

Is this vulnerability found in prior OS versions? I'm in iOS 15 and it always confuses me when they don't mention explicitly if the vulnerability was introduced in the current series (ie. iOS 16) or goes back further but that they won't support it with a minor update. Apple does have a track record of sometimes releasing updates for prior iOS series so that's why I am not always clear.

Apple recently clarified that only the latest OS version will get ALL security updates. They also have had a few times where they've released security patches for the latest OS and then days later released a patch for older versions.

About software updates for Apple devices

Before you begin to manage software updates and upgrades, understand how Apple handles the process.

support.apple.com

Note: Because of dependency on architecture and system changes to any current version of Apple operating systems (for example, macOS 13, iOS 16, and so on), not all known security issues are addressed in previous versions (for example, macOS 12, iOS 15, and so on).

 

[MacMan988]

I wonder how much time was spent since Apple discovered those security issues that needs to be fixed ASAP and the date the update was released.

 

[Ethosik]

M1 iPad was quick, iPhone 12 less quick, and updating anything on the Watch takes time. My 2018 Mac takes a while too.

macOS is still bad at this. I can install months of updates in Windows 5 times faster than a Mac updates.

 

[MysticCow]

processing a maliciously crafted image could lead to arbitrary code execution, allowing a hacker to gain access to the operating system with a simple picture.

Why is it always this exact phrasing on the exploit and why can't it ever be fully fixed? It's always "a maliciously crafted image could lead to arbitrary code execution."

 

[thinkgolden]

macOS is still bad at this. I can install months of updates in Windows 5 times faster than a Mac updates.

I call B.S.!! Every time I have to unpack a DELL or Lenovo or any other PC in this IT world, I have to run updates 2 or 3 times because it can't do it at once and no way is it 5 times faster.

 

[centauratlas]

I am curious about the 17 beta status too.

 

[iHorseHead]

Updating takes ... 10 minutes of your life? A decade ago, that could've been an hour or two.

Are you sure? I don't remember it taking hours of my life even back in 2008.

 

[Themistokles]

Would there be any way of knowing whether one's device was affected by this?

 

[Ethosik]

I call B.S.!! Every time I have to unpack a DELL or Lenovo or any other PC in this IT world, I have to run updates 2 or 3 times because it can't do it at once and no way is it 5 times faster.

That was the case in the old days. And Dell adds A LOT. A LOT of bloat that impacts it too. But now with cumulative updates you just need one or very few (in cases like .NET) to get fully up to date. Also could be the Dell image was outdated and didn’t include the latest Feature update.

I’m talking about standard updates here. Even if your systems are fully patched, Windows update is still 5 times faster. Macs have three rounds of progress bars. Windows gets to 30% then restarts and finishes. Tie this with an NVME drive and you can literally apply Windows updates in 1-2 minutes. I never had a Mac update faster than 7 minutes. Even my M2 Ultra. And I currently have 8 macs.

 

[Icelus]

It's unclear when Apple decides to issue Rapid Security Response (RSR) updates.

You can read more here:

About Background Security Improvements for iOS, iPadOS, and macOS - Apple Support (CA)

Background Security Improvements delivers additional security protections between software updates.

support.apple.com

And the list of releases here:

Apple security releases - Apple Support (CA)

This document lists security updates and Rapid Security Responses for Apple software.

support.apple.com

The last RSR update was mid-July. Sounds this exploit fix in today's update should have been issued as an RSR, too.

If you’re wondering why this wasn’t released as a Rapid Security Response (RSR), that’s most probably because, now that Ventura has entered its first year of security-only maintenance, it no longer gets RSRs, which are reserved for Sonoma.

Apple has released Ventura 13.5.2, an urgent security update

Apple has just released the update to macOS Ventura 13.5.2, an urgent security update, to address a vulnerability in processing images that is being actively exploited. It’s around 1.9 GB to …

eclecticlight.co

 

[idiiamots]

Is this the one that slows down my phone and makes it buggy so I wanna buy a new one?

No, it's the one that makes Safari scrolling faster.

 

[falkon-engine]

Is this the one that slows down my phone and makes it buggy so I wanna buy a new one?

Or reports lower-than actual remaining battery life, so you're tempted to get the 15 next week?

 

[dumastudetto]

For those of us who are stuck on an unsupported Mac OS version due to financial reasons, any details on how this image exploit is used so we can try to avoid it? Is it as simple as someone emailing you an image embedded into the body? Or an attachment you have to open?

It's seriously time to buy a new macOS device so Apple can properly protect you.

 

[mjs916]

Updating takes ... 10 minutes of your life? A decade ago, that could've been an hour or two.

One might even argue that updating gives 10 mins of your life back nowadays.

Take a break from TokTik and the Book of Face or whatever they are called.

 

[TechnoMonk]

I found an image that clearly demonstrates the procedure for solving your issue, But be sure to close your eyes when you view this image to avoid being hacked.

View attachment 2256315

Evil Apple. They should support for ever.

 

[3304614]

Thanks for the heads-up, MacRumors. I have ‘Automatic Updates‘ enabled, but I always seem to be manually starting the updates myself. I can’t remember the last time Automatic Updates actually updated automatically, lol. Definitely never in 2023. Maybe it happened in 2022 (can’t recall).

And everything was plugged in and connected to WiFi while I was sleeping. Perfect opportunity to updated everything while I’m not using the devices. But that never seems to happen.

I know the Automatic Updates follows some Apple sever-side scheduling rules, but it seems to never (ever) work for me anymore.