macOS 13.1 may be getting all the attention, but Apple hasn’t forgotten about its older operating systems. Alongside the first major Ventura update, Apple also released updates to Big Sur (11.7.2) and Monterey (12.6.2) that contain a slew of important security updates. Apple appears to be done releasing updates for the two-year-old Catalina.
To update to the latest version of Monterey or Big Sur, head over to System Preferences, click Software Update, and then Install Now. Several of the updates are serious flaws that could lead to arbitrary code execution. Many of the security updates are the same across both operating systems, but there are three that are just for Monterey.
Monterey 12.6.2 security updates
Bluetooth
- Impact: An app may be able to disclose kernel memory
- Description: The issue was addressed with improved memory handling.
- CVE-2022-42854: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte. Ltd. (@starlabs_sg)
File System
- Impact: An app may be able to break out of its sandbox
- Description: This issue was addressed with improved checks.
- CVE-2022-42861: pattern-f (@pattern_F_) of Ant Security Light-Year Lab
Preferences
- Impact: An app may be able to use arbitrary entitlements
- Description: A logic issue was addressed with improved state management.
- CVE-2022-42855: Ivan Fratric of Google Project Zero
Monterey 12.6.2 and Big Sur 11.7.2 security updates
BOM
- Impact: An app may bypass Gatekeeper checks
- Description: A logic issue was addressed with improved checks.
- CVE-2022-42821: Jonathan Bar Or of Microsoft
DriverKit
- Impact: An app may be able to execute arbitrary code with kernel privileges
- Description: The issue was addressed with improved memory handling.
- CVE-2022-32942: Linus Henze of Pinauten GmbH (pinauten.de)
IOHIDFamily
- Impact: An app may be able to execute arbitrary code with kernel privileges
- Description: A race condition was addressed with improved state handling.
- CVE-2022-42864: Tommy Muir (@Muirey03)
Kernel
- Impact: An app may be able to execute arbitrary code with kernel privileges
- Description: A race condition was addressed with additional validation.
- CVE-2022-46689: Ian Beer of Google Project Zero
Kernel
- Impact: An app with root privileges may be able to execute arbitrary code with kernel privileges
- Description: The issue was addressed with improved memory handling.
- CVE-2022-42845: Adam Doupé of ASU SEFCOM
Kernel
- Impact: A remote user may be able to cause kernel code execution
- Description: The issue was addressed with improved memory handling.
- CVE-2022-42842: pattern-f (@pattern_F_) of Ant Security Light-Year Lab
libxml2
- Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution
- Description: An integer overflow was addressed through improved input validation.
- CVE-2022-40303: Maddie Stone of Google Project Zero
libxml2
- Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution
- Description: This issue was addressed with improved checks.
- CVE-2022-40304: Ned Williamson and Nathan Wachholz of Google Project Zero
ppp
- Impact: An app may be able to execute arbitrary code with kernel privileges
- Description: The issue was addressed with improved memory handling.
- CVE-2022-42840: an anonymous researcher
xar
- Impact: Processing a maliciously crafted package may lead to arbitrary code execution
- Description: A type confusion issue was addressed with improved checks.
- CVE-2022-42841: Thijs Alkemade (@xnyhps) of Computest Sector 7
Safari 16.2 security updates
There is also a separate update to Safari (16.2) that fixes eight severe WebKit flaws, the most critical being a zero-day flaw that has been actively exploited. It’s the same flaw that was patched in iOS 16.1.2 last week.
WebKit
Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.1.
Description: A type confusion issue was addressed with improved state handling.
CVE-2022-42856: Clément Lecigne of Google’s Threat Analysis Group
