Following several rumors from credible sources that claim Apple is preparing to launch a 15-inch MacBook Air in April, as well as the looming release of the first Apple silicon-based Mac Pro, Apple has released the macOS 13.3 update.
The 13.3 update follows the general release of macOS Ventura 13.2 on January 23, which included nearly two dozen security updates and support for physical FIDO-certified security keys. Apple released macOS Ventura 13.2.1 in mid-February with three more critical security fixes, including one for a WebKit vulnerability that could lead to arbitrary code execution.
macOS 13.3 release notes
These are the new features in macOS 13.3, as stated by Apple’s release notes: This update includes more than 30 security updates for your Mac, which you can find below:
- • 21 new emoji including animals, hand gestures, and objects are now available in emoji keyboard
- • Remove background option in Freeform automatically isolates the subject in your image
- • Photos duplicates album expands support to detect duplicate photos and videos in an iCloud Shared Photo Library
- • Transliteration support for Gujarati, Punjabi and Urdu keyboards
- • New keyboard layouts for Choctaw, Chickasaw, Akan, Hausa, and Yoruba
- • Accessibility setting to automatically dim video when flashes of light or strobe effects are detected
- • VoiceOver support for maps in the Weather app
- • Resolves an issue where Trackpad gestures may occasionally stop responding
- • Fixes an issue where Ask to Buy requests from children may fail to appear on the parent’s device
- • Addresses an issue where VoiceOver may be unresponsive after using Finder
macOS Ventura 13.3: How to install
- Click on the Apple menu and select System Settings.
- Select General in the left sidebar.
- Select Software Update in the main section of the window.
- Your Mac will check online for any available updates. If the update is available, a description will appear. Click on the Update Now button to start the installation. The update will download to your Mac and the installer will run. The Mac will need to restart to complete the installation.
macOS Ventura 13.3 security release notes
Apple’s security updates page includes details on the security updates in 13.3. Below are the security notes.
AMD
- Available for: macOS Ventura
- Impact: An app may be able to cause unexpected system termination or write kernel memory
- Description: A buffer overflow issue was addressed with improved memory handling.
- CVE-2023-27968: ABC Research s.r.o.
Apple Neural Engine
- Available for: macOS Ventura
- Impact: An app may be able to break out of its sandbox
- Description: This issue was addressed with improved checks.
- CVE-2023-23532: Mohamed Ghannam (@_simo36)
AppleMobileFileIntegrity
- Available for: macOS Ventura
- Impact: A user may gain access to protected parts of the file system
- Description: The issue was addressed with improved checks.
- CVE-2023-23527: Mickey Jin (@patch1t)
AppleMobileFileIntegrity
- Available for: macOS Ventura
- Impact: An app may be able to access user-sensitive data
- Description: This issue was addressed by removing the vulnerable code.
- CVE-2023-27931: Mickey Jin (@patch1t)
Archive Utility
- Available for: macOS Ventura
- Impact: An archive may be able to bypass Gatekeeper
- Description: The issue was addressed with improved checks.
- CVE-2023-27951: Brandon Dalton of Red Canary and Csaba Fitzl (@theevilbit) of Offensive Security
Calendar
- Available for: macOS Ventura
- Impact: Importing a maliciously crafted calendar invitation may exfiltrate user information
- Description: Multiple validation issues were addressed with improved input sanitization.
- CVE-2023-27961: Rıza Sabuncu – twitter.com/rizasabuncu
Camera
- Available for: macOS Ventura
- Impact: A sandboxed app may be able to determine which app is currently using the camera
- Description: The issue was addressed with additional restrictions on the observability of app states.
- CVE-2023-23543: Yiğit Can YILMAZ (@yilmazcanyigit)
Carbon Core
- Available for: macOS Ventura
- Impact: Processing a maliciously crafted image may result in disclosure of process memory
- Description: The issue was addressed with improved checks.
- CVE-2023-23534: Mickey Jin (@patch1t)
ColorSync
- Available for: macOS Ventura
- Impact: An app may be able to read arbitrary files
- Description: The issue was addressed with improved checks.
- CVE-2023-27955: JeongOhKyea
CommCenter
- Available for: macOS Ventura
- Impact: An app may be able to cause unexpected system termination or write kernel memory
- Description: An out-of-bounds write issue was addressed with improved input validation.
- CVE-2023-27936: Tingting Yin of Tsinghua University
CoreCapture
- Available for: macOS Ventura
- Impact: An app may be able to execute arbitrary code with kernel privileges
- Description: The issue was addressed with improved memory handling.
- CVE-2023-28181: Tingting Yin of Tsinghua University
curl
- Available for: macOS Ventura
- Impact: Multiple issues in curl
- Description: Multiple issues were addressed by updating curl.
- CVE-2022-43551
- CVE-2022-43552
dcerpc
- Available for: macOS Ventura
- Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution
- Description: A memory initialization issue was addressed.
- CVE-2023-27934: Aleksandar Nikolic of Cisco Talos
dcerpc
- Available for: macOS Ventura
- Impact: A user in a privileged network position may be able to cause a denial-of-service
- Description: A denial-of-service issue was addressed with improved memory handling.
- CVE-2023-28180: Aleksandar Nikolic of Cisco Talos
dcerpc
- Available for: macOS Ventura
- Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution
- Description: The issue was addressed with improved bounds checks.
- CVE-2023-27935: Aleksandar Nikolic of Cisco Talos
dcerpc
- Available for: macOS Ventura
- Impact: A remote user may be able to cause unexpected system termination or corrupt kernel memory
- Description: The issue was addressed with improved memory handling.
- CVE-2023-27953: Aleksandar Nikolic of Cisco Talos
- CVE-2023-27958: Aleksandar Nikolic of Cisco Talos
Display
- Available for: macOS Ventura
- Impact: An app may be able to execute arbitrary code with kernel privileges
- Description: A memory corruption issue was addressed with improved state management.
- CVE-2023-27965: Proteas of Pangu Lab
FaceTime
- Available for: macOS Ventura
- Impact: An app may be able to access user-sensitive data
- Description: A privacy issue was addressed by moving sensitive data to a more secure location.
- CVE-2023-28190: Joshua Jones
Find My
- Available for: macOS Ventura
- Impact: An app may be able to read sensitive location information
- Description: A privacy issue was addressed with improved private data redaction for log entries.
- CVE-2023-23537: an anonymous researcher
FontParser
- Available for: macOS Ventura
- Impact: Processing a maliciously crafted image may result in disclosure of process memory
- Description: The issue was addressed with improved memory handling.
- CVE-2023-27956: Ye Zhang of Baidu Security
Foundation
- Available for: macOS Ventura
- Impact: Parsing a maliciously crafted plist may lead to an unexpected app termination or arbitrary code execution
- Description: An integer overflow was addressed with improved input validation.
- CVE-2023-27937: an anonymous researcher
iCloud
- Available for: macOS Ventura
- Impact: A file from an iCloud shared-by-me folder may be able to bypass Gatekeeper
- Description: This was addressed with additional checks by Gatekeeper on files downloaded from an iCloud shared-by-me folder.
- CVE-2023-23526: Jubaer Alnazi of TRS Group of Companies
Identity Services
- Available for: macOS Ventura
- Impact: An app may be able to access information about a user’s contacts
- Description: A privacy issue was addressed with improved private data redaction for log entries.
- CVE-2023-27928: Csaba Fitzl (@theevilbit) of Offensive Security
ImageIO
- Available for: macOS Ventura
- Impact: Processing a maliciously crafted image may result in disclosure of process memory
- Description: The issue was addressed with improved memory handling.
- CVE-2023-23535: ryuzaki
ImageIO
- Available for: macOS Ventura
- Impact: Processing a maliciously crafted image may result in disclosure of process memory
- Description: An out-of-bounds read was addressed with improved input validation.
- CVE-2023-27929: Meysam Firouzi (@R00tkitSMM) of Mbition Mercedes-Benz Innovation Lab and jzhu working with Trend Micro Zero Day Initiative
ImageIO
- Available for: macOS Ventura
- Impact: Processing a maliciously crafted file may lead to unexpected app termination or arbitrary code execution
- Description: An out-of-bounds read was addressed with improved bounds checking.
- CVE-2023-27946: Mickey Jin (@patch1t)
ImageIO
- Available for: macOS Ventura
- Impact: Processing a maliciously crafted file may lead to unexpected app termination or arbitrary code execution
- Description: A buffer overflow issue was addressed with improved memory handling.
- CVE-2023-27957: Yiğit Can YILMAZ (@yilmazcanyigit)
Kernel
- Available for: macOS Ventura
- Impact: An app may be able to execute arbitrary code with kernel privileges
- Description: A use after free issue was addressed with improved memory management.
- CVE-2023-23514: Xinru Chi of Pangu Lab, Ned Williamson of Google Project Zero
- CVE-2023-27969: Adam Doupé of ASU SEFCOM
Kernel
- Available for: macOS Ventura
- Impact: An app with root privileges may be able to execute arbitrary code with kernel privileges
- Description: The issue was addressed with improved memory handling.
- CVE-2023-27933: sqrtpwn
Kernel
- Available for: macOS Ventura
- Impact: An app may be able to disclose kernel memory
- Description: An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed with improved input validation.
- CVE-2023-27941: Arsenii Kostromin (0x3c3e)
Kernel
- Available for: macOS Ventura
- Impact: An app may be able to disclose kernel memory
- Description: A validation issue was addressed with improved input sanitization.
- CVE-2023-28200: Arsenii Kostromin (0x3c3e)
LaunchServices
- Available for: macOS Ventura
- Impact: Files downloaded from the internet may not have the quarantine flag applied
- Description: This issue was addressed with improved checks.
- CVE-2023-27943: an anonymous researcher, Brandon Dalton, Milan Tenk, and Arthur Valiev
LaunchServices
- Available for: macOS Ventura
- Impact: An app may be able to gain root privileges
- Description: This issue was addressed with improved checks.
- CVE-2023-23525: Mickey Jin (@patch1t)
Model I/O
- Available for: macOS Ventura
- Impact: Processing a maliciously crafted file may lead to unexpected app termination or arbitrary code execution
- Description: An out-of-bounds read was addressed with improved input validation.
- CVE-2023-27949: Mickey Jin (@patch1t)
NetworkExtension
- Available for: macOS Ventura
- Impact: A user in a privileged network position may be able to spoof a VPN server that is configured with EAP-only authentication on a device
- Description: The issue was addressed with improved authentication.
- CVE-2023-28182: Zhuowei Zhang
PackageKit
- Available for: macOS Ventura
- Impact: An app may be able to modify protected parts of the file system
- Description: A logic issue was addressed with improved checks.
- CVE-2023-23538: Mickey Jin (@patch1t)
- CVE-2023-27962: Mickey Jin (@patch1t)
Photos
- Available for: macOS Ventura
- Impact: Photos belonging to the Hidden Photos Album could be viewed without authentication through Visual Lookup
- Description: A logic issue was addressed with improved restrictions.
- CVE-2023-23523: developStorm
Podcasts
- Available for: macOS Ventura
- Impact: An app may be able to access user-sensitive data
- Description: The issue was addressed with improved checks.
- CVE-2023-27942: Mickey Jin (@patch1t)
Safari
- Available for: macOS Ventura
- Impact: An app may bypass Gatekeeper checks
- Description: A race condition was addressed with improved locking.
- CVE-2023-27952: Csaba Fitzl (@theevilbit) of Offensive Security
Sandbox
- Available for: macOS Ventura
- Impact: An app may be able to modify protected parts of the file system
- Description: A logic issue was addressed with improved checks.
- CVE-2023-23533: Mickey Jin (@patch1t), Koh M. Nakagawa of FFRI Security, Inc., and Csaba Fitzl (@theevilbit) of Offensive Security
Sandbox
- Available for: macOS Ventura
- Impact: An app may be able to bypass Privacy preferences
- Description: A logic issue was addressed with improved validation.
- CVE-2023-28178: Yiğit Can YILMAZ (@yilmazcanyigit)
Shortcuts
- Available for: macOS Ventura
- Impact: A shortcut may be able to use sensitive data with certain actions without prompting the user
- Description: The issue was addressed with additional permissions checks.
- CVE-2023-27963: Jubaer Alnazi Jabin of TRS Group Of Companies, and Wenchao Li and Xiaolong Bai of Alibaba Group
System Settings
- Available for: macOS Ventura
- Impact: An app may be able to access user-sensitive data
- Description: A privacy issue was addressed with improved private data redaction for log entries.
- CVE-2023-23542: an anonymous researcher
System Settings
- Available for: macOS Ventura
- Impact: An app may be able to read sensitive location information
- Description: A permissions issue was addressed with improved validation.
- CVE-2023-28192: Guilherme Rambo of Best Buddy Apps (rambo.codes)
TCC
- Available for: macOS Ventura
- Impact: An app may be able to access user-sensitive data
- Description: This issue was addressed by removing the vulnerable code.
- CVE-2023-27931: Mickey Jin (@patch1t)
Vim
- Available for: macOS Ventura
- Impact: Multiple issues in Vim
- Description: Multiple issues were addressed by updating to Vim version 9.0.1191.
- CVE-2023-0049
- CVE-2023-0051
- CVE-2023-0054
- CVE-2023-0288
- CVE-2023-0433
- CVE-2023-0512
WebKit
- Available for: macOS Ventura
- Impact: Processing maliciously crafted web content may bypass Same Origin Policy
- Description: This issue was addressed with improved state management.
- CVE-2023-27932: an anonymous researcher
WebKit
- Available for: macOS Ventura
- Impact: A website may be able to track sensitive user information
- Description: The issue was addressed by removing origin information.
- CVE-2023-27954: an anonymous researcher
XPC
- Available for: macOS Ventura
- Impact: An app may be able to break out of its sandbox
- Description: This issue was addressed with a new entitlement.
- CVE-2023-27944: Mickey Jin (@patch1t)