Apple iOS 16.6, macOS 13.5 and iPadOS 16.6 include patches for two zero-day critical issues

Apple just rolled out updates for its operating systems:

• iOS 16.6
• macOS 13.5
• iPadOS 16.6
• macOS Monterey 12.6.8
• macOS Big Sur 11.7.9
• iOS 15.7.8
• iPadOS 15.7.8
• tvOS 16.6
• watchOS 9.6

Among other features and fixes, these updates  several security issues, among which were two zero-day vulnerabilities that were actively exploited:

• CVE-2023-37450 allows potential arbitrary code execution within web pages. This issue is already fixed in the Apple Rapid Security Response (RSR) update for iOS 16.5.1 (c), iPadOS 16.5.1 (c), and macOS 13.4.1 (c). Unfortunately, since that RSR was a mess - it was released, then withdrawn, then released again, Apple is including the same final fix in  the latest versions, iOS 16.6, macOS 13.5, and iPadOS 16.6.
• CVE-2023-38606 is the second zero-day addressed in the release. This exploit could allow unauthorized apps to modify sensitive kernel state. The vulnerability impacted iOS versions released before iOS 15.7.1. To resolve this issue, the company improved the state management in the affected operating systems.

The iOS 16.6 update is available for iPhone 8 and later models, while iPadOS 16.6 can be installed on iPad Pro (3rd generation) and later, iPad Air (3rd generation) and later, and iPad mini (5th generation).

Apple also released Safari 16.6 updates for macOS Big Sur and macOS Monterey, addressing various security issues related to WebKit. macOS Monterey 12.6.8 and macOS Big Sur 11.7.9 include several security patches, including the fixes for the zero-day threats mentioned earlier. iOS 15.7.8 and iPadOS 15.7.8 are now available for the same devices as iOS 16.6 and iPadOS 16.6, respectively, containing fixes for ten security issues.

Additionally, the company rolled out tvOS 16.6 and watchOS 9.6 updates for eligible devices, which include various fixes.