Apple releases macOS Sonoma 14, Safari 17 with 60+ security updates

Security & Privacy

Posted on
September 26th, 2023 by

Jay Vrijenhoek and Joshua Long

Apple has released its latest Mac operating system: macOS Sonoma. It comes hot on the trail of several small but significant OS updates last week that addressed serious security vulnerabilities for Apple’s mobile and desktop operating systems.

We’ve previously covered the new security and privacy features, and other notable features, in macOS Sonoma. You can also read our complete guide to ensuring your Mac is ready for macOS Sonoma.

But now that we have the new macOS in hand, let’s examine the security patches included in Sonoma’s first release. We’ll also take a brief look at the other software updates that Apple released this week.

In this article:

macOS Sonoma 14 security updates and new features

Available for
Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)

New Features
Be sure to read our coverage of the new security and privacy-related features in macOS Sonoma. To learn about macOS Sonoma’s other new features, see our top 10 list of new macOS Sonoma features, and Apple’s more comprehensive list (in PDF format).

Apart from new features and enhancements, macOS Sonoma also comes loaded with more than 60 named security vulnerability patches.

So far, 61 CVEs (Common Vulnerabilities and Exposures identification numbers) are listed, but Apple often revises its security release notes weeks or months later to add additional entries.

Furthermore, the “Additional recognition” section of the macOS Sonoma 14.0 security release notes list 32 acknowledgements—some of which are supposed to have CVEs, but Apple didn’t list them for some reason. And at least one of those “acknowledgements” apparently lists multiple researchers who reported entirely different vulnerabilities. So it’s possible that well over 90 vulnerabilities may have been addressed in macOS Sonoma.

Apple chose not to include some CVE numbers in the macOS Sonoma 14.0 security release notes, for some reason.

While it currently looks like Sonoma patches “61 CVEs,” the number should actually be (much?) higher than that. 🙃 https://t.co/CwZmDgOeXc pic.twitter.com/ZeV2uJH51O

— Josh Long (the JoshMeister) (@theJoshMeister) September 27, 2023

Here are just a handful of notable security patches in macOS Sonoma:

WebKit
Impact: Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7.
Description: The issue was addressed with improved checks.
WebKit Bugzilla: 261544
CVE-2023-41993: Bill Marczak of The Citizen Lab at The University of Toronto’s Munk School and Maddie Stone of Google’s Threat Analysis Group
Note: This vulnerability was addressed in iOS, iPadOS, and Safari updates last week to protect against the Predator spyware; more on that in this article.

 

Bluetooth
Impact: An app may be able to access sensitive user data, and
Impact: An app may be able to bypass certain Privacy preferences
Description: A permissions issue was addressed with additional restrictions.
CVE-2023-40426: Yiğit Can YILMAZ (@yilmazcanyigit)

 

Game Center
Impact: An app may be able to access contacts
Description: The issue was addressed with improved handling of caches.
CVE-2023-40395: Csaba Fitzl (@theevilbit) of Offensive Security

 

iCloud
Impact: An app may be able to access sensitive user data
Description: A permissions issue was addressed with improved redaction of sensitive information.
CVE-2023-23495: Csaba Fitzl (@theevilbit) of Offensive Security

 

iCloud Photo Library
Impact: An app may be able to access a user’s Photos Library
Description: A configuration issue was addressed with additional restrictions.
CVE-2023-40434: Mikko Kenttälä (@Turmio_ ) of SensorFu

 

Messages
Impact: An app may be able to observe unprotected user data
Description: A privacy issue was addressed with improved handling of temporary files.
CVE-2023-32421: Meng Zhang (鲸落) of NorthSea, Ron Masas of BreakPoint Security Research, Brian McNulty, and Kishan Bagaria of Texts.com

 

System Preferences
Impact: An app may bypass Gatekeeper checks
Description: The issue was addressed with improved checks.
CVE-2023-40450: Thijs Alkemade (@xnyhps) from Computest Sector 7

 

TCC

Impact: An app may be able to access user-sensitive data
Description: The issue was addressed with improved checks.
CVE-2023-40424: Arsenii Kostromin (0x3c3e), Joshua Jewett (@JoshJewett33), and Csaba Fitzl (@theevilbit) of Offensive Security

 

XProtectFramework
Impact: An app may be able to modify protected parts of the file system
Description: A race condition was addressed with improved locking.
CVE-2023-41979: Koh M. Nakagawa (@tsunek0h)

The list of security-related fixes is quite long, and there are many other interesting entries. Check out the full list of security patches included in macOS Sonoma 14.0.

If your Mac meets the system requirements, you will find this update in System Settings > General > Software Update. For those running macOS on unsupported hardware by means of OpenCore Legacy Patcher, give it a week or so and macOS Sonoma should be supported. The current version does not support macOS Sonoma.

Safari 17 security updates

Available for
macOS Monterey and macOS Ventura (included in macOS Sonoma 14)

Security updates:
The application itself received one security patch, WebKit received four, for a total of five CVEs. Here are a couple of highlights:

Safari
Available for: macOS Monterey and macOS Ventura
Impact: Visiting a website that frames malicious content may lead to UI spoofing
Description: A window management issue was addressed with improved state management.
CVE-2023-40417: Narendra Bhati From Suma Soft Pvt. Ltd, Pune (India)

 

WebKit
Available for: macOS Ventura
Impact: Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7.
Description: The issue was addressed with improved checks.
WebKit Bugzilla: 261544
CVE-2023-41993: Bill Marczak of The Citizen Lab at The University of Toronto’s Munk School and Maddie Stone of Google’s Threat Analysis Group

The WebKit patch highlighted above is the same one macOS Sonoma received, and was included with last week’s round of updates for other operating systems. Last week’s release notes didn’t specify whether macOS Ventura got the patch; evidently Apple was waiting to release the patch for Ventura as part of Safari 17 for some reason.

Non-security updates: iOS and iPadOS 17.0.2, watchOS 10.0.2

Apple also released iOS 17.0.2 and iPadOS 17.0.2, as well as watchOS 10.0.2, on Tuesday. According to Apple, these updates have “no published CVE entries,” and Apple did not publish any additional security acknowledgements.

Both contain bug fixes. According to Apple, the iOS update “fixes an issue that may prevent transferring data directly from another iPhone during setup.” Apple did not specify which bug-fixes the watchOS update contains.

Which OS versions are protected against Predator spyware (or not)?

As mentioned in our previous coverage, the Predator spyware was recently caught exploiting three vulnerabilities in Apple operating systems:

• Security (CVE-2023-41991)
• Kernel (CVE-2023-41992)
• WebKit (CVE-2023-41993)

Here is the patch status of those vulnerabilities for each applicable Apple operating system, as of today:

• macOS Sonoma — All three vulnerabilities presumably* patched or not applicable (14.0)
  • *Apple only names CVE-2023-41993, but also has “Additional acknowledgements” that imply that CVE-2023-41992 was patched as well; we know from other researchers that Apple did not properly credit all CVEs in macOS Sonoma 14.0. CVE-2023-41991 may have either been not applicable, or not named, but is presumed to have been patched. Intego has reached out to Apple for clarification and will update this article if Apple responds.
• macOS Ventura — All three vulnerabilities were patched (13.6 + Safari 16.6.1)
• macOS Monterey — Two of the three vulnerabilities were patched (12.7 + Safari 16.6.1 + Safari 17)
  • CVE-2023-41991 was not listed in the security patch notes
• macOS Big Sur — Only one of the vulnerabilities was patched (Safari 16.6.1)
• iOS & iPadOS 17 — All three vulnerabilities were patched (17.0.1)
• iOS & iPadOS 16 — All three vulnerabilities were patched (16.7)
• iOS & iPadOS 15 — None of the vulnerabilities have been patched.
  • This is the final iOS/iPadOS version compatible with iPhone 6s, 6s Plus, SE (1st generation), 7, 7 Plus, and iPod touch (7th generation), iPad Air 2, and iPad mini 4. All of these devices should be assumed to be perpetually vulnerable since they can no longer be upgraded to a current operating system.
• watchOS 10 — Only two of the vulnerabilities were patched (10.0.1)
• watchOS 9 — Only two of the vulnerabilities were patched (9.6.3)
  • The absence of a patch for the WebKit vulnerability for both watchOS versions seems to imply that watchOS was not impacted. Intego has reached out to Apple for clarification and will update this article if Apple responds.
• watchOS 8 — None of the vulnerabilities have been patched.

What to do if your Mac cannot upgrade to macOS Sonoma

With the release of macOS Sonoma, we can presume that macOS Big Sur has likely seen its last update with the release of Safari 16.6.1 last week. This not only leaves macOS Big Sur potentially vulnerable to the Predator spyware, but going forward an ever-increasing amount of vulnerabilities will not be addressed.

It’s best to upgrade your Mac to the latest compatible macOS version, ideally macOS Sonoma, to ensure that your Mac will receive security updates for the next year. If your Mac is not officially compatible with macOS Sonoma, consider upgrading to a newer macOS version than Apple supports to keep your Mac better protected.

How to install Apple security updates

Be sure to read our complete guide to upgrading to macOS Sonoma to make sure your Mac is fully ready.

How to Prepare Your Mac to Upgrade to macOS Sonoma: the Ultimate Guide

To upgrade a Mac running macOS Ventura to macOS Sonoma, first update your critical software; for example, run Intego’s NetUpdate utility and install all available updates. Then check for macOS updates by going to System Settings > General > Software Update.

If you have any trouble getting the macOS update to show up, either press ⌘R at the Software Update screen, or type in the Terminal softwareupdate -l (that’s a lowercase L) and press Return/Enter, then check System Settings > General > Software Update again.

Macs running macOS Big Sur or Monterey can get these updates (or upgrade to macOS Sonoma) via System Preferences > Software Update. If you have an iMac Pro or a MacBook Pro (2018) that’s still running macOS High Sierra, look for macOS Sonoma in the Mac App Store and download it from there.

Note that only the latest macOS version is ever fully patched; older macOS versions only get a subsection of those patches and remain vulnerable. Therefore, staying on the latest macOS version is critically important for maintaining your security and privacy. For more information, see our article, “When does an old Mac become unsafe to use?”

Users of iPhone or iPad can go to Settings > General > Software Update to update iOS or iPadOS on their devices.

To update watchOS on your Apple Watch, the process is a bit more complicated. First, update your iPhone to the latest operating system it can support (ideally the latest version of iOS 17). Next, ensure that both your iPhone and Apple Watch are on the same Wi-Fi network. Your Apple Watch also needs to have at least a 50% charge. Then open the Watch app on your iPhone and tap General > Software Update.

Whenever you’re preparing to update macOS, iOS, or iPadOS, it’s a good idea to always back up your data before installing any updates. This gives you a restore point if something does not go as planned. See our related article on how to check your macOS backups to ensure they work correctly.

How to Verify Your Backups are Working Properly

See also our article on how to back up your iPhone or iPad to iCloud and to your Mac.

Should you back up your iPhone to iCloud or your Mac? Here’s how to do both

How can I learn more?

Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.

You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels:       

About Jay Vrijenhoek

Jay Vrijenhoek is an IT consultant with a passion for Mac security research.
View all posts by Jay Vrijenhoek →