PSA: Safari Security Flaw 'Actively Exploited,' Update Your Apple Devices Now

[Avenged110]

Why is this getting so heavily publicized this time around? I'm not saying it's not worth informing people, but just, why this specific update? Apple patches (seemingly) similarly exploitive kernel and WebKit vulnerabilities all the time; no one's made any case for this being more novel than the others. Heck, Apple provided similarly-worded disclosure notes for a WebKit vulnerability in iOS 15.6 and AppleAVD in 15.4.1, and neither of those were paraded around as some critical, 'update now!!!' patches. Yet this one is all over the place.

 

[KeithJenner]

Yeah so my point stands I'm being wrongfully disagreed with lmao. God the Tolerant MacRumors forums when you tell other Mac users you don't use Safari.

You didn't just say that you don't use Safari. Perhaps the negative reactions were to the "Jokes on you" comment.

 

[adamlbiscuit]

Why is this getting so heavily publicized this time around? I'm not saying it's not worth informing people, but just, why this specific update? Apple patches (seemingly) similarly exploitive kernel and WebKit vulnerabilities all the time; no one's made any case for this being more novel than the others. Heck, Apple provided similarly-worded disclosure notes for a WebKit vulnerability in iOS 15.6 and AppleAVD in 15.4.1, and neither of those were paraded around as some critical, 'update now!!!' patches. Yet this one is all over the place.

It's even been on the mainstream news this evening in the UK. Got my (non-techy) mum and dad in a right spin this evening!

 

[robd003]

Is Apple going to do the standard 4 week delayed rollout for lazy people relying on Automatic Updates or will they force push this one?

 

[LV426]

I’ve had other issues with safari lately that just disrupts workflow annoyingly. Now with security issues like this one, I feel I hate safari a bit more from today. Sure, I’m using Ventura beta so it should be fixed eventually, but still.

And apple refuses to allow third party web browser kernels being used on iOS devices. Other than protecting their bottom line, I can’t think of any other reason why they refuse to allow other rendering engine on iOS etc.

Is that the rendering engine that is used in Safari? Or the rendering engine that is used in the Mail app? Or the rendering engine that is used in the iTunes Store App? Or the rendering engine that is used by numerous third party iOS apps? Or is it all of the above?

Is that the rendering engine that gets fixed when Apple provide an update? Or is it the engine that doesn't get updated by a lazy third party developer in his web app?

It's not quite so simple a choice, you see...

 

[ArrayDecay]

Is Apple forcing this update? My wife claimed that she tapped "update later" and it immediately rebooted and began updated. I poo-poo'ed her wild crazy tale and told her to stay out of the cooking sherry until the same thing happened to me on my iPhone and iPad: I tapped "update later" and they both proceeded to install the update.

 

[oops1975]

Sorry if this has been answered elsewhere but are the 16 betas impacted by this as none of my devices are pulling an update?

I have the same question. I haven’t seen anyone mention about iOS 16 beta.

 

[CarAnalogy]

Uhh is this fixed in the iOS/iPadOS/macOS 16 betas??

Probably not yet but you shouldn’t be using betas on devices with anything that matters on them anyway. Security is not part of the beta experience.

It’ll be fixed by final release.

Someone disagrees? How could they possibly keep on top of security bugs in a beta release? That’s not the point of these releases. It’ll be fixed in the next beta and definitely in the RC.

Furthermore think of all the security bugs likely introduced and then fixed throughout the beta process. They don’t get CVEs because it’s not production software.

 

[Aston441]

delete

 

[Aston441]

delete

 

[Paddle1]

Why is this getting so heavily publicized this time around? I'm not saying it's not worth informing people, but just, why this specific update? Apple patches (seemingly) similarly exploitive kernel and WebKit vulnerabilities all the time; no one's made any case for this being more novel than the others. Heck, Apple provided similarly-worded disclosure notes for a WebKit vulnerability in iOS 15.6 and AppleAVD in 15.4.1, and neither of those were paraded around as some critical, 'update now!!!' patches. Yet this one is all over the place.

It feels as though Apple pushed news agencies to heavily encourage installation of this update. Perhaps the implications of what could happen are particularly severe.

 

[*~Kim~*]

I decided to go for the update, my Mini 6 seems to be running faster than before and the storage bug has gone. Provided it charges without issue (on 36%, so I’ll find out soon-ish) it’s thumbs up from me. As I posted above it didn’t mention 15.6.1 being a security update but it did say security update when I updated an Air 5. I don’t know if Apple have realised this and updated the description across the board or it displays a different description on different devices.

 

[trash eighty]

MBA and Phone updated fine, i didn't realise my Mac mini was still on Big Sur so doesn't seem an update for that yet.

 

[hagar]

Why does Safari always have to be updated with iOS update? Can't they just patch flaws independently?

It’s a WebKit and kernel patch.

Don't worry Apple, no one uses it anyways 🤣

ALL browser apps and in-app browser windows use WebKit on iOS, so there’s that. Forgot about that one? 🤣

 

[Jerry Fritschle]

Why is this getting so heavily publicized this time around? I'm not saying it's not worth informing people, but just, why this specific update? Apple patches (seemingly) similarly exploitive kernel and WebKit vulnerabilities all the time; no one's made any case for this being more novel than the others. Heck, Apple provided similarly-worded disclosure notes for a WebKit vulnerability in iOS 15.6 and AppleAVD in 15.4.1, and neither of those were paraded around as some critical, 'update now!!!' patches. Yet this one is all over the place.

Well, the point releases come out on a fairly regular schedule in any case. A double-point patch implies a little more urgency.

 

[nvmls]

ALL browser apps and in-app browser windows use WebKit on iOS, so there’s that. Forgot about that one? 🤣

Courageous isn't it?

 

[spicynujac]

You knew perfectly well when you bought your device that software updates are only provided for so long. It's not a new thing.

That's a weird take. All it does is push people away from Safari and onto alternatives like Chrome or Firefox or Edge that will not have this vulnerability.

"People should accept software vulnerabilities" is not a marketing slogan any successful company will run with.

At the very least, Apple should disable Safari on devices it is not going to fix. Allowing people to use buggy software is just going to harm the user and put a bad taste in their mouth. Not everyone reads MR. I doubt 1% of users are going to know about this vulnerability unless Apple warns them or pushes a fix.

The bottom line is if Apple won't fix their browser, people will switch to browsers that are secure. A shame, as Safari is my browser of choice.

 

[ArtOfWarfare]

That's just the reality of technology. At some point it becomes financially prohibitive to update older devices. Ironically, the hardware is so well made that it lasts longer than its firmware viability does.

This is why we need Right to Repair.

Because customers want to keep using the things they've bought after companies want to (or are able to) support them.

Just because the original company doesn't want to support something anymore shouldn't mean it's garbage now. Customers should be free to fix it themselves, and if there's enough people out there who want a fix, it should be possible for a business to be started around providing that fix.

(This does have major implications for how companies should be handling source code, build/dev tools, and documentation... I'd say that when software reaches EOL, it needs to be made open source. Like ID Software has always done.)

 

[spicynujac]

I’ve moved to Edge, which work far far better than Safari has been lately on my M1 fleet.

I'd be very wary using Edge.
I switched to Edge for my windows machine, and for a while it seemed ok, but became more and more intrusive (and this is with me turning on a lot of privacy settings).

First they banned several privacy plugins like AdNausem from working.

Then they changed the password save feature to "Automatically save every password I type into edge"

Then they added some super-spy feature, where I will do a search on a travel site, and then open a new tab and it will ask "Do you want me to input your Atlanta to Boston flight search into United.com"? NO, and I don't want you spying on my travel searches either.

I've switched to Ungoogled Chromium on PC, sticking with Safari on mac.

 

[War833]

Why in the first place, does Safari have kernel privileges? .....other browsers don't.
Personally, I'm deferring the update until I see actual reports of compromised phones from actual iOS users.

It doesn't have kernel privileges. However, there is a bug in the low level code that enables one to break out of the "sandbox" and then use that to gain privileged access.

 

[LV426]

This is why we need Right to Repair.

Because customers want to keep using the things they've bought after companies want to (or are able to) support them.

Just because the original company doesn't want to support something anymore shouldn't mean it's garbage now. Customers should be free to fix it themselves, and if there's enough people out there who want a fix, it should be possible for a business to be started around providing that fix.

(This does have major implications for how companies should be handling source code, build/dev tools, and documentation... I'd say that when software reaches EOL, it needs to be made open source. Like ID Software has always done.)

Would you like Apple to release iOS source code to third parties so that they can provide fixes into the distant future? Because there are some really really important security implications around that...

 

[Carrotcruncher]

I decided to go for the update, my Mini 6 seems to be running faster than before and the storage bug has gone. Provided it charges without issue (on 36%, so I’ll find out soon-ish) it’s thumbs up from me. As I posted above it didn’t mention 15.6.1 being a security update but it did say security update when I updated an Air 5. I don’t know if Apple have realised this and updated the description across the board or it displays a different description on different devices.

The storage bug was actually the malware taking up that space LOL

 

[MallardDuck]

While the security fixes are always important and appreciated, I’ve moved to Edge, which work far far better than Safari has been lately on my M1 fleet.

Yup, it's really good at monitoring what you do and injecting shopping suggestions.

When they started doing that I moved back to Firefox and Safari.

BTW, on iOS it's a webkit bug, so all browsers are impacted.

 

[MallardDuck]

And if our devices are so old that they can't reach those OS versions, we're supposed to just not use them anymore, right? It sounds like a sarcastic question, but is that actually, in the grand scheme of security, what we're supposed to be doing?

Yes. Devices on an OS version that no longer receives security updates and can't be updated, should no longer be used for internet access.

That's true for anything - Mac, Windows, Android, TV's, toasters, baby cams, etc. I'd go even further and say that any device that *never* get's updates (like cheap IOT devices) shouldn't be used to begin with.

I know that's costly and harsh, but it's the reality of the world we live in today.

 

[Heat_Fan89]

Which guide do you suggest for this project? Is there anything not working?

No guide is needed unless you want to change the icons and theme. If you just want the macOS type of Dock try this. Just go into settings --> appearance --> Dock and disable panel mode. The panel then looks similar to macOS Big Sur and has a slight transparent look to it. You can move the Dock to the right, left or bottom of the screen. You can also download icons to make it look even more like macOS.

Here are a few guides:

How to Make Ubuntu 22.04 Look Like Mac OS

Operating Systems are significant parts of electronics devices such as PC, mobiles, Tab, and much more. It offers major services and functionalities, and Mac OS is one of them. Because...

itslinuxfoss.com

How to Make Ubuntu 22.04 Look Like Mac OS

Ubuntu 22.04 has quite interactive interface alongside various customization options. This article demonstrates the steps to make Ubuntu 22.04 look like macOS.

linuxhint.com

(How to make Ubuntu look like macOS Monterrey)