Reprinted from TidBITS by permission; reuse governed by Creative Commons
license BY-NC-ND 3.0. TidBITS has offered years of thoughtful commentary
on Apple and Internet topics. For free email subscriptions and access to the
entire TidBITS archive, visit http://www.tidbits.com/


      iOS 16.4.1, iPadOS 16.4.1, and macOS 13.3.1 Address Serious Security
                           Vulnerabilities, Fix Bugs

   Adam Engst

   Just 11 days after releasing a spate of updates to its operating
   systems (see '[1]Apple Releases iOS 16.4, iPadOS 16.4, macOS 13.3
   Ventura, watchOS 9.4, tvOS 16.4, and HomePod Software 16.4,' 27 March
   2023), Apple has pushed out quick updates to [2]iOS 16.4.1, [3]iPadOS
   16.4.1, and [4]macOS Ventura 13.3.1 with a smattering of changes.

   Why the quick release? The [5]security notes say that the updates block
   two vulnerabilities Apple says are actively being exploited in the
   wild. One vulnerability would allow an app to execute arbitrary code
   with kernel privileges; the other could allow maliciously crafted Web
   content to execute arbitrary code.

   I'm reading between the lines here, but the fact that Apple credits
   'ClÃ©ment Lecigne of Google's Threat Analysis Group and Donncha Ã
   Cearbhaill of Amnesty International's Security Lab' suggests to me that
   these vulnerabilities might have been leveraged by governments using
   the NSO Group's Pegasus or similar software to target activists or
   journalists (see '[6]Apple Lawsuit Goes After Spyware Firm NSO Group,'
   24 November 2021).

   Apple took the opportunity to fold in a few bug fixes as well. All
   three operating systems now properly show the skin tone variations for
   the pushing hands ð«¸ ð«· emoji. iOS 16.4.1 and iPadOS 16.4.1 also
   address a problem that caused Siri to fail to respond in some cases,
   and macOS 13.3.1 resolves an issue that could prevent you from using
   Auto Unlock with your Apple Watch.

   If my supposition about activists being targeted is correct, the
   exploits may be aimed mostly at high-value targets. Nevertheless, I
   recommend that you install these updates right away. It's never a good
   idea to stick with operating system versions known to be vulnerable to
   active exploits. Plus, the Siri and Auto Unlock fixes are sufficiently
   welcome on their own.

   Don't be surprised if Apple releases additional updates to its other
   current operating systems and older versions next week. Given how much
   code they share, it's likely that others are vulnerable as well but
   weren't deemed essential for immediate updates.

References

   Visible links
   1. https://tidbits.com/2023/03/27/apple-releases-ios-16-4-ipados-16-4-macos-13-3-ventura-watchos-9-4-tvos-16-4-and-homepod-software-16-4/
   2. https://support.apple.com/en-us/HT213407
   3. https://support.apple.com/en-us/HT213408
   4. https://support.apple.com/en-us/HT213268
   5. https://support.apple.com/en-us/HT213721
   6. https://tidbits.com/2021/11/24/apple-lawsuit-goes-after-spyware-firm-nso-group/

   Hidden links:
   7. https://tidbits.com/wp/../uploads/2023/04/iOS-16.4.1.jpg

.