Apple has released a slew of software updates across its product portfolio and addressed a long list of security vulnerabilities. iOS 16.6, iPadOS 16.6, macOS Ventura 13.5, watchOS 9.6, tvOS 16.6, iOS 15.7.8, iPadOS 15.7.8, macOS Monterey 12.6.8, and macOS Big Sur 11.7.9 have all been updated.
The range of fixes is extensive. One of the vulnerabilities could allow an app to modify a sensitive kernel state – something Apple says may have been actively exploited already. Apple also says a WebKit vulnerability may have been actively exploited. This was already patched with a Rapid Security Response (iOS 16.5.1 (c) and macOS Ventura 13.4.1 (c)). If you allow automatic software updates you may already be protected from this issue.
Here’s the full list of patched vulnerabilities. You can look up the full data for each reported vulnerability in the Common Vulnerabilities and Exposures (CVE) database by entering the CVE number for each listed vulnerability.
| Type | For | Impact | CVE |
|---|---|---|---|
| Kernel | iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later | An app may be able to modify sensitive kernel state. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.1 | 2023-38606 |
| WebKit | iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later | Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited | 2023-37450 |
| Apple Neural Engine | Devices with Apple Neural Engine: iPhone 8 and later, iPad Pro (3rd generation) and later, iPad Air (3rd generation) and later, and iPad mini (5th generation) | An app may be able to execute arbitrary code with kernel privileges | 2023-38136 and 2023-38580 |
| Find My | iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and late | An app may be able to read sensitive location information | 2023-32416 |
| Kernel | Phone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later | An app may be able to execute arbitrary code with kernel privileges | 2023-32734 and 2023-32441 and 2023-38261 and 2023-38424 and 2023-38425 |
| Kernel | iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later | An app may be able to modify sensitive kernel state. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.1 | 2023-38606 |
| Kernel | iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later | An app may be able to execute arbitrary code with kernel privileges | 023-32381 and 2023-32433 and 2023-35993 |
| Kernel | iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later | A user may be able to elevate privileges | 2023-38410 |
| Kernel | iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later | A remote user may be able to cause a denial-of-service | 2023-38603 |
| libxpc | iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later | An app may be able to gain root privileges | 2023-38565 |
| libxpc | iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later | An app may be able to cause a denial-of-service | 2023-38593 |
| NSURLSession | iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later | An app may be able to break out of its sandbox | 2023-32437 |
| WebKit | iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later | A website may be able to bypass Same Origin Policy | 2023-38572 |
| WebKit | iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later | Processing web content may lead to arbitrary code execution | 2023-38594 and 2023-38595 and 2023-38600 |
| WebKit | iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later | Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited | 2023-37450 |
| WebKit Process Model | iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later | Processing web content may lead to arbitrary code execution | 2023-38597 |
| WebKit Web Inspector | iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later | Processing web content may disclose sensitive information | 2023-38133 |
Anthony is the founder of Australian Apple News. He is a long-time Apple user and former editor of Australian Macworld. He has contributed to many technology magazines and newspapers as well as appearing regularly on radio and occasionally on TV.