Apple patches a major Mac security flaw in macOS Ventura 13.2.1

It’s time to update your Mac.

Apple on Monday released macOS Ventura 13.2.1, a small update to the latest version of the Mac operating system. The update does not contain any new features, but the update presumably contains several bug fixes and performance optimizations. Most notably, however, it includes three security updates, at least one of which has been actively exploited.

Kernel

  • Impact: An app may be able to execute arbitrary code with kernel privileges
  • Description: A use after free issue was addressed with improved memory management.
  • CVE-2023-23514: Xinru Chi of Pangu Lab, Ned Williamson of Google Project Zero

Shortcuts

  • Impact: An app may be able to observe unprotected user data
  • Description: A privacy issue was addressed with improved handling of temporary files.
  • CVE-2023-23522: Wenchao Li and Xiaolong Bai of Alibaba Group

WebKit

  • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
  • Description: A type confusion issue was addressed with improved checks.
  • WebKit Bugzilla: 251944
  • CVE-2023-23529: an anonymous researcher

The WebKit fix is is also available for macOS Big Sur and macOS Monterey via Safari 16.3.1. macOS Version 13.2.1 comes three weeks after Apple released Ventura 13.2 to the public. 13.2 includes several new security features, such as support for physical FIDO-certified security keys and the implementation of the Rapid Security Response updates. Apple will likely begin testing macOS Ventura 13.3 shortly for release in the spring.

Source: Apple patches a major Mac security flaw in macOS Ventura 13.2.1 | Macworld and Apple fixes new WebKit zero-day exploited to hack iPhones, Macs (bleepingcomputer.com) and https://thehackernews.com/2023/02/patch-now-apples-ios-ipados-macos-and.html

Posted in Updates, Vulnerability.