Apple's latest security update is important, but the mass-media response is unhinged
The latest Apple security update contains some fixes that you should apply to your devices, but they are nowhere near warranting the amount of ill-informed media attention that they're receiving.
Apple malware
Today's technology-related headlines are currently dominated by stories about security vulnerabilities "disclosed" in a variety of Apple devices. Hyperbole abounds, including discussions about how the flaws would allow a hacker to "take control" of your device.
However, despite what the headlines may have you think, there's nothing all that greatly more significant about this update than nearly every other. In fact, there have been bigger flaws patched in the last year, that were almost completely ignored by the rest of the media.
If you're new to watching the moves of the iPhone maker, this may seem like a big deal. For those of us that do it for a living, or are even just generally aware of Apple hardware and how to use it, it's just Friday.
The update patches two vulnerability that Apple says may have been actively exploited in the wild, meaning that an attacker may have used them to compromise a device.
More specifically, the patch addresses a WebKit vulnerability that could allow an attacker to execute arbitrary code with elevated privileges. In other words, this means that a hacker could theoretically run malicious code on a compromised device.
But, there's still Apple's Sandbox. It's not like the entire system and all of your data could be laid bare and instantaneously uploaded by the exploit and any payload that may be delivered. And, delivery of that payload is non-trivial.
The update also fixes a similar kernel vulnerability that could allow attackers to execute arbitrary code with kernel privileges, which is another exploit that is hard to actually use. And here, again, there's Apple's multilayer approach to security that stands in the way of full data exfiltration by the exploit.
Sure, there's the remote possibility of a keylogger that might capture passwords. But, not if you're using iCloud Keychain, since you're not actually typing anything. And Tik Tok already has one in its app, and folks seem mostly unconcerned about it.
What's been patched isn't necessarily insignificant. It's significant enough to warrant an update as soon as possible.
However, this is far from an isolated "emergency" bug fix, as the folks at CNN seem to think.
Take, for example, this story from 2015 about Apple addressing a bug in OS X that could have led to attacks with escalated privileges. There's also this story from 2021 in which Apple patched a flaw in macOS that could have also allowed attacks to run arbitrary code.
It hasn't even been that long since the last batch of critical security patches. In July, Apple released new iOS 15 and macOS 12 updates with fixes for a range of vulnerabilities that could have allowed attacks similar to the one fixed on Wednesday.
And those didn't get a fraction of the breathless headlines like today's across the media spectrum, including footage we've seen from very local news channels that don't even know how to get the update.
Those seemingly minor point releases that many people ignore are more often than not filled with these types of security updates. And that's not even counting the actually worrying vulnerabilities.
In September 2021, Apple fixed a zero-day flaw that allowed a spyware tool called Pegasus to actually take full control of a device and spy on users. Worryingly, that spyware was used by authoritarian governments to surveil activists, journalists, and opposition candidates.
To put it another way, those vulnerabilities could have actually endangered lives. Somehow, it didn't get the type of press attention that Wednesday's flaw received.
However, the national attention is a good time to bring awareness to the fact that you should definitely install Apple's minor point releases soon after they're available.
Apple takes both privacy and security very seriously. The company went toe-to-toe with the FBI to avoid installing a backdoor that could have compromised the security of its devices.
The company doesn't play around as it pertains to security. Back in November 2021, it even filed a lawsuit against NSO Group -- the makers of the Pegasus spyware -- for compromising iOS and endangering the security of its customers.
Users can do their part by actively installing the updates that Apple engineers work on. The company's security team spends a lot of time, effort, and money into finding and fixing flaws. That's wasted if people don't download and install the updates.
In other words, we're not saying that you shouldn't download and install Wednesday's update, because you absolutely should. But creating a huge hubbub down to the local news level about it is far from warranted.
Unless, that is, they want to start screaming about every update that Apple rolls out in the same fashion.
Read on AppleInsider
Apple malware
Today's technology-related headlines are currently dominated by stories about security vulnerabilities "disclosed" in a variety of Apple devices. Hyperbole abounds, including discussions about how the flaws would allow a hacker to "take control" of your device.
However, despite what the headlines may have you think, there's nothing all that greatly more significant about this update than nearly every other. In fact, there have been bigger flaws patched in the last year, that were almost completely ignored by the rest of the media.
If you're new to watching the moves of the iPhone maker, this may seem like a big deal. For those of us that do it for a living, or are even just generally aware of Apple hardware and how to use it, it's just Friday.
What the latest update fixes
Apple on Wednesday released iOS 15.6.1 and a range of other software updates. It's a routine patch that addresses some bugs and vulnerabilities, and would have gone unnoticed bay the general public and media were it not for a scary-sounding flaw.The update patches two vulnerability that Apple says may have been actively exploited in the wild, meaning that an attacker may have used them to compromise a device.
More specifically, the patch addresses a WebKit vulnerability that could allow an attacker to execute arbitrary code with elevated privileges. In other words, this means that a hacker could theoretically run malicious code on a compromised device.
But, there's still Apple's Sandbox. It's not like the entire system and all of your data could be laid bare and instantaneously uploaded by the exploit and any payload that may be delivered. And, delivery of that payload is non-trivial.
The update also fixes a similar kernel vulnerability that could allow attackers to execute arbitrary code with kernel privileges, which is another exploit that is hard to actually use. And here, again, there's Apple's multilayer approach to security that stands in the way of full data exfiltration by the exploit.
Sure, there's the remote possibility of a keylogger that might capture passwords. But, not if you're using iCloud Keychain, since you're not actually typing anything. And Tik Tok already has one in its app, and folks seem mostly unconcerned about it.
What's been patched isn't necessarily insignificant. It's significant enough to warrant an update as soon as possible.
However, this is far from an isolated "emergency" bug fix, as the folks at CNN seem to think.
This is far from unique
Apple routinely issues software updates that fix security issues. The one released on Wednesday is no different, and hardly unique.Take, for example, this story from 2015 about Apple addressing a bug in OS X that could have led to attacks with escalated privileges. There's also this story from 2021 in which Apple patched a flaw in macOS that could have also allowed attacks to run arbitrary code.
It hasn't even been that long since the last batch of critical security patches. In July, Apple released new iOS 15 and macOS 12 updates with fixes for a range of vulnerabilities that could have allowed attacks similar to the one fixed on Wednesday.
And those didn't get a fraction of the breathless headlines like today's across the media spectrum, including footage we've seen from very local news channels that don't even know how to get the update.
Those seemingly minor point releases that many people ignore are more often than not filled with these types of security updates. And that's not even counting the actually worrying vulnerabilities.
In September 2021, Apple fixed a zero-day flaw that allowed a spyware tool called Pegasus to actually take full control of a device and spy on users. Worryingly, that spyware was used by authoritarian governments to surveil activists, journalists, and opposition candidates.
To put it another way, those vulnerabilities could have actually endangered lives. Somehow, it didn't get the type of press attention that Wednesday's flaw received.
Apple's security
It isn't clear why the update on Wednesday managed to capture the attention of the national and international press. To us at AppleInsider, and we presume just about every other regular reader, there's nothing particularly significant about it that makes it stand out among Apple's hundreds of other critical security fixes.However, the national attention is a good time to bring awareness to the fact that you should definitely install Apple's minor point releases soon after they're available.
Apple takes both privacy and security very seriously. The company went toe-to-toe with the FBI to avoid installing a backdoor that could have compromised the security of its devices.
The company doesn't play around as it pertains to security. Back in November 2021, it even filed a lawsuit against NSO Group -- the makers of the Pegasus spyware -- for compromising iOS and endangering the security of its customers.
Users can do their part by actively installing the updates that Apple engineers work on. The company's security team spends a lot of time, effort, and money into finding and fixing flaws. That's wasted if people don't download and install the updates.
In other words, we're not saying that you shouldn't download and install Wednesday's update, because you absolutely should. But creating a huge hubbub down to the local news level about it is far from warranted.
Unless, that is, they want to start screaming about every update that Apple rolls out in the same fashion.
Read on AppleInsider
Comments
Update: the security update has been pushed into second place by a critical story about transgender students.
(I'm not being critical of Apple here; I'm disagreeing with this story's downplaying of the importance of this update. It's *very* important, and it's very important to update sooner rather than later)
Edit to add: The time from publication of a vulnerability to attempted exploitation is now measured in hours, not days or weeks. When something like this is made public then its value as something to be used in targeted attacks against only high value targets is effectively zero. There's no reason for bad actors to exercise restraint at this point.
CVE-2022-32893 is an arbitrary code execution bug in Webkit.
CVE-2022-32894 is an arbitrary code execution with kernel privileges bug.
Both have been addressed in this update.
It's not, "A remote code execution flaw in webkit paired with the ability to execute arbitrary code with kernel privileges is really, really, *really* bad. " They're not "paired", they're two distinct issues.
The story about TG students is playing right to their audience whereas the Apple one is for a news day where all the relevant news is not for their base.
If you want to see where Fox US is heading then watch Sky News Australia. Rupert M has IMHO a fast track ticked to the fiery furnace when he does eventually pop his clogs.