Apple's latest security update is important, but the mass-media response is unhinged

Posted:
in General Discussion
The latest Apple security update contains some fixes that you should apply to your devices, but they are nowhere near warranting the amount of ill-informed media attention that they're receiving.

Apple malware
Apple malware


Today's technology-related headlines are currently dominated by stories about security vulnerabilities "disclosed" in a variety of Apple devices. Hyperbole abounds, including discussions about how the flaws would allow a hacker to "take control" of your device.

However, despite what the headlines may have you think, there's nothing all that greatly more significant about this update than nearly every other. In fact, there have been bigger flaws patched in the last year, that were almost completely ignored by the rest of the media.

If you're new to watching the moves of the iPhone maker, this may seem like a big deal. For those of us that do it for a living, or are even just generally aware of Apple hardware and how to use it, it's just Friday.

What the latest update fixes

Apple on Wednesday released iOS 15.6.1 and a range of other software updates. It's a routine patch that addresses some bugs and vulnerabilities, and would have gone unnoticed bay the general public and media were it not for a scary-sounding flaw.

The update patches two vulnerability that Apple says may have been actively exploited in the wild, meaning that an attacker may have used them to compromise a device.

More specifically, the patch addresses a WebKit vulnerability that could allow an attacker to execute arbitrary code with elevated privileges. In other words, this means that a hacker could theoretically run malicious code on a compromised device.

But, there's still Apple's Sandbox. It's not like the entire system and all of your data could be laid bare and instantaneously uploaded by the exploit and any payload that may be delivered. And, delivery of that payload is non-trivial.

The update also fixes a similar kernel vulnerability that could allow attackers to execute arbitrary code with kernel privileges, which is another exploit that is hard to actually use. And here, again, there's Apple's multilayer approach to security that stands in the way of full data exfiltration by the exploit.

Sure, there's the remote possibility of a keylogger that might capture passwords. But, not if you're using iCloud Keychain, since you're not actually typing anything. And Tik Tok already has one in its app, and folks seem mostly unconcerned about it.

What's been patched isn't necessarily insignificant. It's significant enough to warrant an update as soon as possible.

However, this is far from an isolated "emergency" bug fix, as the folks at CNN seem to think.

This is far from unique

Apple routinely issues software updates that fix security issues. The one released on Wednesday is no different, and hardly unique.

Take, for example, this story from 2015 about Apple addressing a bug in OS X that could have led to attacks with escalated privileges. There's also this story from 2021 in which Apple patched a flaw in macOS that could have also allowed attacks to run arbitrary code.

It hasn't even been that long since the last batch of critical security patches. In July, Apple released new iOS 15 and macOS 12 updates with fixes for a range of vulnerabilities that could have allowed attacks similar to the one fixed on Wednesday.

And those didn't get a fraction of the breathless headlines like today's across the media spectrum, including footage we've seen from very local news channels that don't even know how to get the update.

Those seemingly minor point releases that many people ignore are more often than not filled with these types of security updates. And that's not even counting the actually worrying vulnerabilities.

In September 2021, Apple fixed a zero-day flaw that allowed a spyware tool called Pegasus to actually take full control of a device and spy on users. Worryingly, that spyware was used by authoritarian governments to surveil activists, journalists, and opposition candidates.

To put it another way, those vulnerabilities could have actually endangered lives. Somehow, it didn't get the type of press attention that Wednesday's flaw received.

Apple's security

It isn't clear why the update on Wednesday managed to capture the attention of the national and international press. To us at AppleInsider, and we presume just about every other regular reader, there's nothing particularly significant about it that makes it stand out among Apple's hundreds of other critical security fixes.

However, the national attention is a good time to bring awareness to the fact that you should definitely install Apple's minor point releases soon after they're available.

Apple takes both privacy and security very seriously. The company went toe-to-toe with the FBI to avoid installing a backdoor that could have compromised the security of its devices.

The company doesn't play around as it pertains to security. Back in November 2021, it even filed a lawsuit against NSO Group -- the makers of the Pegasus spyware -- for compromising iOS and endangering the security of its customers.

Users can do their part by actively installing the updates that Apple engineers work on. The company's security team spends a lot of time, effort, and money into finding and fixing flaws. That's wasted if people don't download and install the updates.

In other words, we're not saying that you shouldn't download and install Wednesday's update, because you absolutely should. But creating a huge hubbub down to the local news level about it is far from warranted.

Unless, that is, they want to start screaming about every update that Apple rolls out in the same fashion.

Read on AppleInsider
«1

Comments

  • Reply 1 of 28
    If it’s Apple and “bad news” it gets clicks from haters. I’m already seeing it in chat groups. 
    dewmeanantksundaramlkruppjony0watto_cobra
  • Reply 2 of 28
    I have already switched to far more secure CB radio
    baconstangFileMakerFelleruktechiewatto_cobra
  • Reply 3 of 28
    cpsrocpsro Posts: 3,192member
    I’ve a good idea why Fox News has made the update their lead story: distract from Weisselberg flipping and getting a very light sentence for pleading guilty to 15 felonies. Maybe the story will push some people to Android, too, where they can be tracked and monetized better.

    Update: the security update has been pushed into second place by a critical story about transgender students.
    edited August 2022 rob53dewmeStrangeDaysbaconstangqwerty52FileMakerFellerAlex_Vlkruppjony0watto_cobra
  • Reply 4 of 28
    mystigomystigo Posts: 183member
    I was wondering about this while I was reading the story this morning. How is this any different from any other security fix? They issue tons of them. The story ought to be how Apple takes security seriously.
    qwerty52watto_cobra
  • Reply 5 of 28
    bluefire1bluefire1 Posts: 1,301member
    cpsro said:
    I’ve a good idea why Fox News has made the update their lead story: distract from Weisselberg flipping and getting a very light sentence for pleading guilty to 15 felonies. Maybe the story will push some people to Android, too, where they can be tracked and monetized better.

    Update: the security update has been pushed into second place by a critical story about transgender students.
    It was a major news story on a number of networks such as ABC.
    watto_cobra
  • Reply 6 of 28
    I'm going to respectfully disagree here. Speaking as someone who heads up Information security for an organization, this may not be as quite bad as it gets (it won't kill your dog), but it's darn close. A remote code execution flaw in webkit paired with the ability to execute arbitrary code with kernel privileges is really, really, *really* bad. 
    bala1234indieshackcrowleywilliamlondonFileMakerFellerlkrupp
  • Reply 7 of 28
    Fox News fair balanced and unafraid!
    watto_cobra
  • Reply 8 of 28
    cpsrocpsro Posts: 3,192member
    I'm going to respectfully disagree here. Speaking as someone who heads up Information security for an organization, this may not be as quite bad as it gets (it won't kill your dog), but it's darn close. A remote code execution flaw in webkit paired with the ability to execute arbitrary code with kernel privileges is really, really, *really* bad. 
    Even if an Apple user doesn't manually update, the system will automatically update within a week of release.
    williamlondonwatto_cobra
  • Reply 9 of 28
    cpsrocpsro Posts: 3,192member
    Was it the lead/headline news story for many hours on ABC like it was on Faux News? I doubt it. The lead story on Faux News is now about Finland's PM clubbing.
    edited August 2022 watto_cobra
  • Reply 10 of 28
    hmlongcohmlongco Posts: 533member
    I'm going to respectfully disagree here. Speaking as someone who heads up Information security for an organization, this may not be as quite bad as it gets (it won't kill your dog), but it's darn close. A remote code execution flaw in webkit paired with the ability to execute arbitrary code with kernel privileges is really, really, *really* bad. 
    I feel like we're already in one of those "phone" games. The original mention was "elevated privileges" which you immediately escalated to "kernel privileges".
    williamlondonwatto_cobra
  • Reply 11 of 28
    cpsro said:
    I'm going to respectfully disagree here. Speaking as someone who heads up Information security for an organization, this may not be as quite bad as it gets (it won't kill your dog), but it's darn close. A remote code execution flaw in webkit paired with the ability to execute arbitrary code with kernel privileges is really, really, *really* bad. 
    Even if an Apple user doesn't manually update, the system will automatically update within a week of release.
    Only if automatic updates are enabled, unless something has changed since the last time I checked (which is a possibility). Though, automatic updates are on by default. 

    (I'm not being critical of Apple here; I'm disagreeing with this story's downplaying of the importance of this update. It's *very* important, and it's very important to update sooner rather than later)

    Edit to add: The time from publication of a vulnerability to attempted exploitation is now measured in hours, not days or weeks. When something like this is made public then its value as something to be used in targeted attacks against only high value targets is effectively zero. There's no reason for bad actors to exercise restraint at this point. 
    edited August 2022 williamlondonFileMakerFellerbala1234
  • Reply 12 of 28
    hmlongco said:
    I'm going to respectfully disagree here. Speaking as someone who heads up Information security for an organization, this may not be as quite bad as it gets (it won't kill your dog), but it's darn close. A remote code execution flaw in webkit paired with the ability to execute arbitrary code with kernel privileges is really, really, *really* bad. 
    I feel like we're already in one of those "phone" games. The original mention was "elevated privileges" which you immediately escalated to "kernel privileges".

    CVE-2022-32893 is an arbitrary code execution bug in Webkit. 
    CVE-2022-32894 is an arbitrary code execution with kernel 
    privileges bug.

    Both have been addressed in this update. 

    edited August 2022 muthuk_vanalingamwilliamlondonbeowulfschmidt
  • Reply 13 of 28
    fred1fred1 Posts: 1,112member
    cpsro said:
    I’ve a good idea why Fox News has made the update their lead story: distract from Weisselberg flipping and getting a very light sentence for pleading guilty to 15 felonies. Maybe the story will push some people to Android, too, where they can be tracked and monetized better.

    Update: the security update has been pushed into second place by a critical story about transgender students.
    Well, it’s also on CNN and the BBC, so 1. they’re getting paid to report on this by the same people as Fox News is, or 2. they’re taking their cues from Fox News, or 3. they also think it’s actually newsworthy (hey, it could happen!)
    anantksundaram
  • Reply 14 of 28
    dewmedewme Posts: 5,332member
    Apple should consider setting up some form of opt-in notification service to allow Apple to directly communicate with customers regarding software and firmware updates. Apple’s lazy push update model coupled with the arbitrary Chicken Little media response to some but not all security updates means that the vast majority of Apple’s customers are getting “notified” about updates via third party sources. I get the vast majority of my update triggers here on AppleInsider. I’d even be okay with Apple coding the severity of updates using some sort of model, like red (immediate), yellow (at your earliest convenience), blue (optional) - or some other scheme. 

    I don’t care how Apple does it, but I’d vastly prefer to get important information about updates directly from Apple rather than anyone else. If I have to subscribe to notifications via iMessage and/or Mail, no problem. This should not be a technical limitation. I get notices from Apple when an artist in my Music library releases a new single or album, so why not get a notification when my device needs a security update? 
    muthuk_vanalingamFileMakerFellerlkruppwatto_cobra
  • Reply 15 of 28
    hmlongcohmlongco Posts: 533member
    CVE-2022-32893 is an arbitrary code execution bug in Webkit. 
    CVE-2022-32894 is an arbitrary code execution with kernel privileges bug.

    Both have been addressed in this update. 

    Okay, The kernel issue is related to an application running on macOS. i.e. The user would have to download, enable, and run an app with an exploit. The arbitrary code execution bug in Webkit is worrisome, but isn't related to the kernel privileges issue. 

    It's not, "A remote code execution flaw in webkit paired with the ability to execute arbitrary code with kernel privileges is really, really, *really* bad. " They're not "paired", they're two distinct issues.
    lolliverwilliamlondonjony0watto_cobra
  • Reply 16 of 28
    hmlongco said:
    CVE-2022-32893 is an arbitrary code execution bug in Webkit. 
    CVE-2022-32894 is an arbitrary code execution with kernel privileges bug.

    Both have been addressed in this update. 

    Okay, The kernel issue is related to an application running on macOS. i.e. The user would have to download, enable, and run an app with an exploit. The arbitrary code execution bug in Webkit is worrisome, but isn't related to the kernel privileges issue. 

    It's not, "A remote code execution flaw in webkit paired with the ability to execute arbitrary code with kernel privileges is really, really, *really* bad. " They're not "paired", they're two distinct issues.
    That's not how vulnerability chaining doesn't work. Safari is already downloaded and running on your device and CVE-2022-32893 potentially gives an attacker the ability to use Safari to leverage CVE-2022-32894. 
    williamlondonFileMakerFellerdocno42
  • Reply 17 of 28
    davidwdavidw Posts: 2,036member
    cpsro said:
    Was it the lead/headline news story for many hours on ABC like it was on Faux News? I doubt it. The lead story on Faux News is now about Finland's PM clubbing.

    I made this observation on Thursday morning, when the stock market first opened at 630AM PST. Commented on it here that night and I had to go back to Wednesday, to find the AI article about the update. (I remembered seeing the AI article about the 15.6.1 update but didn't read it.) Thus proving that these type of headlines were being used way before Fox News or any other news website. It was first headline news, for the whole day (Thursday), on finance and business websites concerning AAPL, before the others got hold of it. It wasn't until Friday morning that other non finance and business news sites were using the same type of headlines. But most were linking to the articles I read on Yahoo Finance site, on Thursday morning. 



    My "conspiracy theory" is that some one was trying to manipulate AAPL share price down, before option expiration today. My "conspiracy theory" holds more water than yours.

    muthuk_vanalingamlolliverdocno42watto_cobra
  • Reply 18 of 28
    I'm going to respectfully disagree here. Speaking as someone who heads up Information security for an organization, this may not be as quite bad as it gets (it won't kill your dog), but it's darn close. A remote code execution flaw in webkit paired with the ability to execute arbitrary code with kernel privileges is really, really, *really* bad. 
    Agreed. This is an odd AI article.
    apple_badgerwilliamlondon
  • Reply 19 of 28
    “Apple takes privacy very seriously.” 

    Sure. As long as it doesn’t hurt their wallet. See: China, Russia.
    muthuk_vanalingambaconstangwilliamlondonbeowulfschmidtdocno42
  • Reply 20 of 28
    cpsro said:
    I’ve a good idea why Fox News has made the update their lead story: distract from Weisselberg flipping and getting a very light sentence for pleading guilty to 15 felonies. Maybe the story will push some people to Android, too, where they can be tracked and monetized better.

    Update: the security update has been pushed into second place by a critical story about transgender students.
    Fox in the US are masters at deflection... sorta like most politicians who will deflect rather than answer 'hard' questions.
    The story about TG students is playing right to their audience whereas the Apple one is for a news day where all the relevant news is not for their base. 
    If you want to see where Fox US is heading then watch Sky News Australia. Rupert M has IMHO a fast track ticked to the fiery furnace when he does eventually pop his clogs.

    baconstangFileMakerFellerjony0
Sign In or Register to comment.