macOS 13.1 may be getting all the attention, but Apple hasn’t forgotten about its older operating systems. In addition to the first major Ventura update, Apple also released updates for Big Sur (11.7.2) and Monterey (12.6.2) that contain a slew of important security updates. Apple seems to have finished releasing updates for the two-year-old Catalina.
To update to the latest version of Monterey or Big Sur, go to System Preferences, click Software Update, and then click Install Now. Several of the updates have serious flaws that can lead to arbitrary code execution. Many of the security updates are the same for both operating systems, but there are three that are Monterey-only.
Monterey 12.6.2 security updates
bluetooth
- Influence: An app may be able to release kernel memory
- Description: The issue was addressed through improved memory handling.
- CVE-2022-42854: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte. Ltd (@starlabs_sg)
File system
- Influence: An app may be able to break out of the sandbox
- Description: This issue was addressed through improved checks.
- CVE-2022-42861: pattern-f (@pattern_F_) from Ant Security Light-Year Lab
Preferences
- Influence: An app may be able to use arbitrary permissions
- Description: A logic issue was addressed through improved state management.
- CVE-2022-42855: Ivan Fratric of Google Project Zero
Monterey 12.6.2 and Big Sur 11.7.2 security updates
parts list
- Influence: An app can bypass Gatekeeper checks
- Description: A logic issue was addressed through improved checks.
- CVE-2022-42821: Jonathan BarOr of Microsoft
Driver Kit
- Influence: An app may be able to execute arbitrary code with kernel privileges
- Description: The issue was addressed through improved memory handling.
- CVE-2022-32942: Linus Henze from Pinauten GmbH (pinauten.de)
IOHID Family
- Influence: An app may be able to execute arbitrary code with kernel privileges
- Description: A race condition was addressed through improved status handling.
- CVE-2022-42864: Tommy Muir (@Muirey03)
Kernel
- Influence: An app may be able to execute arbitrary code with kernel privileges
- Description: A race condition has been fixed with additional validation.
- CVE-2022-46689: Ian Beer of Google Project Zero
Kernel
- Influence: An app with root privileges may be able to execute arbitrary code with kernel privileges
- Description: The issue was addressed through improved memory handling.
- CVE-2022-42845: Adam Doupe of ASU SEFCOM
Kernel
- Influence: A remote user may be able to cause the execution of the kernel code
- Description: The issue was addressed through improved memory handling.
- CVE-2022-42842: pattern-f (@pattern_F_) from Ant Security Light-Year Lab
libxml2
- Influence: A remote user could potentially cause an unexpected app termination or arbitrary code execution
- Description: An integer overflow was addressed through improved input validation.
- CVE-2022-40303: Maddie Stone from Google Project Zero
libxml2
- Influence: A remote user could potentially cause an unexpected app termination or arbitrary code execution
- Description: This issue was addressed through improved checks.
- CVE-2022-40304: Ned Williamson and Nathan Wachholz of Google Project Zero
ppp
- Influence: An app may be able to execute arbitrary code with kernel privileges
- Description: The issue was addressed through improved memory handling.
- CVE-2022-42840: an anonymous researcher
xar
- Influence: Processing a maliciously crafted package may lead to arbitrary code execution
- Description: A type confusion issue has been addressed through improved checks.
- CVE-2022-42841: Thijs Alkemade (@xnyhps) from Computest Sector 7
Safari 16.2 security updates
There is also a separate update for Safari (16.2) that fixes eight serious WebKit bugs, the most critical of which is a zero-day bug that has been actively exploited. It’s the same bug that was patched in iOS 16.1.2 last week.
WebKit
Influence: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released prior to iOS 15.1.
Description: A type confusion issue has been addressed through improved status handling.
CVE-2022-42856: Clément Lecigne of Google’s Threat Analysis Group
