Recent security updates: how unusual?

I know August is the ‘silly season’, with a general shortage of fresh news items, but I was surprised all the same to see both the BBC and my local newspaper belatedly reporting last week’s security updates to Monterey, iOS and iPadOS. Was there something really special about them, or were the press jumping on a story which, at any other time, would have passed unnoticed?

First, macOS 12.5.1 and the matching updates to iOS and iPadOS aren’t in the least bit unusual. When Apple released Big Sur, it changed the version numbering system to accommodate these not infrequent security updates, which had tended to be released as ‘supplemental updates’ for macOS.

In each annual cycle, Apple normally plans five or six minor updates containing improvements and general bug fixes, as well as fixes for plenty of security vulnerabilities. Patches between those, like 12.5.1, are common, and it’s good news that they are, as they represent Apple promulgating important fixes as soon as it can, rather than waiting for the next scheduled minor update, which in this case could be as late as October, when 12.6 is likely to be released, alongside the first version of Ventura.

macOS 12.5.1 only contained two security fixes, compared with 12.5 which had about 50. What is different in this case is that Apple suggested that both of the vulnerabilities had already been exploited in the wild. As Apple puts it: “Apple is aware of a report that this issue may have been actively exploited.” That doesn’t mean that all our Macs are about to be pwned, though, the interpretation that many seem to have jumped to.

Neither is this the first time that Apple has issued such warnings. While none of the security fixes in Monterey 12.5 bore those words, two fixes that came in 12.3.1 did, as did one in 12.2.1, and another in 11.5.1, and in other updates too.

So, what does Apple tell us about the vulnerabilities it has patched in 12.5.1? As is usual, not a great deal. The bug in the kernel allows an application “to execute arbitrary code with kernel privileges”, and that in WebKit allows the processing of maliciously crafted web content to “lead to arbitrary code execution”. Linking either of these to specific code, and determining which malware might be exploiting them, isn’t easy.

As ever, Apple provides CVE-IDs for each. CVE-2022-32893 (WebKit) is merely “reserved” according to the Mitre database, the only detail revealed there being that the entry was made on 9 June 2022, and the entry for the kernel vulnerability CVE-2022-32894 is identical. Both reports are credited to “an anonymous researcher”, which could easily be Apple’s own security researchers. In the past, Apple used to give them explicit credits in its security release notes, but hasn’t done so for some years.

So none of this is unusual, or exceptional, nor does it justify alarmist reports and speculation in the non-technical media. The message remains: keep your Macs and devices up to date, particularly with security updates.

It may be mere coincidence, of course, but this wasn’t the only security update last week. The following day (Thursday), Apple pushed two updates to the security tools built into macOS, one to add a new malware detection signature to XProtect data, the other to refresh the scanning components in its new XProtect Remediator which is replacing MRT in Catalina and later.

For the first time, Apple gave a new XProtect signature a codename that correlates with one of the executable modules in XProtect Remediator: SnowDrift. Stuart Ashenbrenner @stuartjash at Jamf has identified this as CloudMensis, spyware first discovered by ESET back in April 2022, when it was thought to have been distributed on a very limited basis.

Apple added the SnowDrift scanner to XProtect Remediator in version 68, pushed just a fortnight ago on 4 August 2022, but has only just added its signature to XProtect’s Yara file. Is it too much of a coincidence to wonder whether these two security fixes might have any connection?

The message the non-technical press have also missed is how important it is not just to keep up to date with security updates, but that it’s essential to run a recent version of macOS which gets the benefit of XProtect Remediator, and to keep up to date with security data updates too. I suppose that was just too nuanced for the silly season, though.