Reprinted from TidBITS by permission; reuse governed by Creative Commons
license BY-NC-ND 3.0. TidBITS has offered years of thoughtful commentary
on Apple and Internet topics. For free email subscriptions and access to the
entire TidBITS archive, visit http://www.tidbits.com/


          OS Security UpdatesPlug Image and Wallet Vulnerabilities

   Adam Engst

   Security updates for Apple's core operating systems aim to plug two
   vulnerabilities actively being exploited in the wild. In the first
   vulnerability, processing a maliciously crafted image could lead to
   arbitrary code execution; it affects the current versions of macOS,
   iOS, and iPadOS. In the second, the Wallet app could allow arbitrary
   code execution when processing a maliciously crafted attachment; the
   current iOS, iPadOS, and watchOS are at risk. Apple doesn't list any
   other changes in these updates:
     * [1]macOS Ventura 13.5.2
     * [2]iOS 16.6.1 and iPadOS 16.6.1
     * [3]watchOS 9.6.2

   I recommend updating using Software Update as soon as is
   convenient'it's dangerous to ignore vulnerabilities that could be
   weaponized through simple and easily automated email and text messages.

   It's too bad Apple didn't address these vulnerabilities with Rapid
   Security Response updates that are faster to install and easily
   reverted. The need for a watchOS update may be why, given that Rapid
   Security Responses are available only for macOS, iOS, and iPadOS (see
   '[4]What Are Rapid Security Responses and Why Are They Important?' 2
   May 2023).

   Apple hasn't indicated whether these image and Wallet vulnerabilities
   also affect older versions of its operating systems, but I wouldn't be
   surprised to see additional updates.

References

   1. https://support.apple.com/en-us/HT213906
   2. https://support.apple.com/en-us/HT213905
   3. https://support.apple.com/en-us/HT213907
   4. https://tidbits.com/2023/05/02/what-are-rapid-security-responses-and-why-are-they-important/

.