Last Week on My Mac: What did 15.3.1 fix?
Exactly two weeks after we had dutifully updated to Sequoia 15.3, and its parallel security updates for Sonoma and Ventura, we were going through the process again for 15.3.1, 14.7.4 and 13.7.4. Those were unscheduled security updates, with the only information from Apple being that they include “important security fixes”. Even Apple’s security release notes reports for each that “this update has no published CVE entries”.
Having scoured Apple’s site and many others, I have drawn a complete blank as to what those updates fixed. I even watched nearly ten minutes of HalfManHalfTech, who claimed to show “some key highlights, New Features and New Changes in macOS 15.3.1 Sequoia”, but I remained none the wiser, and could count those promised new features and new changes on the thumbs of one foot.
My own analysis, based on comparing version and build numbers for bundled apps and the whole contents of /System/Library, was almost as barren. Apple silicon Macs had a firmware update, taking iBoot from version 11881.81.2 to 11881.81.4. Safari remains at version 18.3 (20620.2.4.11.5), and the only change apparent is that Messages had single minor build increment, from 14.0 (1402.400.131.1.2) to 14.0 (1402.400.131.1.3), which eluded even HalfManHalfTech.
The absence of CVE entries doesn’t mean that these updates didn’t fix any vulnerabilities, though. The Common Vulnerabilities and Exposures (CVE) scheme sets out to identify and monitor publicly known vulnerabilities and exposures, particularly those discovered and reported by third-party researchers. There’s no obligation or expectation that Apple should assign CVEs to vulnerabilities that it discovers in-house, and apparently don’t come to the attention of anyone outside.
In the past, Apple used to assign CVEs to many vulnerabilities discovered by its engineers. Looking back at previous security release notes, I noticed those for OS X Yosemite 10.10.3 of 8 April 2015, listing a total of 79 CVEs that were addressed. Of those, 36 were in open source components, leaving 43 in OS X itself. Apple credited its own engineers for reporting 6 of those, and in a further 4 no credit was given in the release notes at the time.
Over the last few years, precious few entries in macOS security release notes have cited CVE entries credited to Apple. This implies that either Apple’s engineers are now detecting very few vulnerabilities, or that those they detect are seldom being entered as CVEs. I’m inclined to believe the latter, and the release of 15.3.1, 14.7.4 and 13.7.4 updates confirms that suspicion. It may be that in the coming weeks, Apple does release more details as to what has been fixed in these security updates. It’s not unusual for it to issue revised release notes some time afterwards, providing information that it decided not to make public at the time of the update.
There’s currently a lot of attention focussed on Apple’s responses to two families of attacks that abuse speculative features of the CPU cores in M-series chips. Almost a year ago a team of seven researchers made public GoFetch, shown to be capable of revealing encryption keys, but not those kept inside the Secure Enclave. Late last month a team from Georgia Tech and Ruhr University Bochum published details and demonstrations of SLAP and FLOP enabling memory leakage in M2 and M3 chips.
There’s no evidence at present that any of those has been exploited in malicious software, and it’s also far from clear whether they’ll ever be used against us. Although a triumph of security research, in the pragmatic world of the attacker, they’re several orders of magnitude more difficult than deceiving the human, the weakest link. While I’m looking forward to Apple addressing GoFetch, SLAP and FLOP, we should remain more concerned with those mundane vulnerabilities that are already both popular and effective. If you’re unsure what those are, Patrick Wardle’s analysis of new macOS malware of 2024 is a worthwhile reference.
Does it matter whether Apple lists them as CVEs in release notes? In practice, relatively little, as the message remains the same: keep macOS up to date and never drop your guard. Some of the most important fixes are released in these ‘minor’ updates, and we may well have another month to go before the next macOS updates are released. If you haven’t updated yet to 15.3.1, 14.7.4 or 13.7.4, please do so today.
