Apple's latest security update is important, but the mass-media response is unhinged

2»

Comments

  • Reply 21 of 28
    AppleZuluAppleZulu Posts: 1,987member
    Hewing to “the narrative” is the most dangerous aspect of mainstream media right now. Put simply, reporters and editors spend inordinate amounts of time reading and reacting to social media. When a news item starts to trend, they all race to affirm the trending thing with sources (some spend less time bothering with sources) and push out reports that fit “the narrative,” which are then link-posted on twitter, further affirming the trending item as both “significant” and “factual.” This is literally an algorithm-based human confirmation-bias feedback loop. At its most basic, this is dangerous because it promotes things as important that may not actually be important, and it confuses feedback-loop repetition with factual verification.

    What makes this effect truly dangerous is its susceptibility to manipulation by those with agendas. For instance, FoxNews does run stories based on talking points established by their management. In some cases, the talking points are meant to promote specific political ideas. In others, they are meant to capture the attention of their viewers as a means to distract them from noticing disfavored information in the news. So Fox runs their talking points, then promotes them on social media, and they’re picked up and re-shared by conservative politicians and other like-minded people. That feeds the algorithms with trending data, and primes the pump to generate a “narrative.” Soon after, mainstream media is responding to things that “people are saying” as though they are both important and given fact.

    In this case if, as has been suggested by others here (I have not independently verified the timeline), FoxNews started running with the Apple security update as a distraction from other news, it simply followed the well-worn path and became “the narrative.” Information of this sort can be particularly vulnerable to such narrative-based spin-up because the mainstream reporters have no idea how computers work or what actually constitutes a critical vulnerability. It sounds scary so it must be both important and true. It also makes great click-bait, so everyone is happy. 
    edited August 2022 williamlondonFileMakerFellerwatto_cobra
  • Reply 22 of 28
    sunman42sunman42 Posts: 260member
    dewme said:
    Apple should consider setting up some form of opt-in notification service to allow Apple to directly communicate with customers regarding software and firmware updates. Apple’s lazy push update model coupled with the arbitrary Chicken Little media response to some but not all security updates means that the vast majority of Apple’s customers are getting “notified” about updates via third party sources. I get the vast majority of my update triggers here on AppleInsider. I’d even be okay with Apple coding the severity of updates using some sort of model, like red (immediate), yellow (at your earliest convenience), blue (optional) - or some other scheme. 

    I don’t care how Apple does it, but I’d vastly prefer to get important information about updates directly from Apple rather than anyone else. If I have to subscribe to notifications via iMessage and/or Mail, no problem. This should not be a technical limitation. I get notices from Apple when an artist in my Music library releases a new single or album, so why not get a notification when my device needs a security update? 

    ——

    I guess Apple does a poor job of publicizing it, but they have a security announcement mailing list: https://lists.apple.com/mailman/listinfo/security-announce/ .

    FileMakerFellerwatto_cobra
  • Reply 23 of 28
    sunman42sunman42 Posts: 260member
    mystigo said:
    I was wondering about this while I was reading the story this morning. How is this any different from any other security fix? They issue tons of them. The story ought to be how Apple takes security seriously.
    My guess is that the difference, at least from many vulnerabilities, is that these appear to have been exploited in the wild. It’s those magic words, “Apple is aware of a report that this issue may have been actively exploited.”
    edited August 2022 apple_badgerFileMakerFellerwatto_cobra
  • Reply 24 of 28
    cpsrocpsro Posts: 3,192member
    fred1 said:
    cpsro said:
    I’ve a good idea why Fox News has made the update their lead story: distract from Weisselberg flipping and getting a very light sentence for pleading guilty to 15 felonies. Maybe the story will push some people to Android, too, where they can be tracked and monetized better.

    Update: the security update has been pushed into second place by a critical story about transgender students.
    Well, it’s also on CNN and the BBC, so 1. they’re getting paid to report on this by the same people as Fox News is, or 2. they’re taking their cues from Fox News, or 3. they also think it’s actually newsworthy (hey, it could happen!)
    My comments about Fox News' prioritization of the Apple story have been with respect to foxnews.com, where it was the top, headline story for many hours. Are you saying it was the top story on BBC and CNN?
    watto_cobra
  • Reply 25 of 28
    That's not how vulnerability chaining doesn't work. Safari is already downloaded and running on your device and CVE-2022-32893 potentially gives an attacker the ability to use Safari to leverage CVE-2022-32894. 
    Yet AFAIK Safari doesn't ship with a malicious code exploit embedded within it. Not to mention that WebKit is also sandboxed pretty heavily. I'll grant that the possibility of chaining one exploit into another... but only in the sense that ANYTHING is possible. It's possible that the Earth could explode in the next 0.2 seconds. It is, however, not probable.
    jony0watto_cobra
  • Reply 26 of 28
    hmlongco said:
    That's not how vulnerability chaining doesn't work. Safari is already downloaded and running on your device and CVE-2022-32893 potentially gives an attacker the ability to use Safari to leverage CVE-2022-32894. 
    Yet AFAIK Safari doesn't ship with a malicious code exploit embedded within it. Not to mention that WebKit is also sandboxed pretty heavily. I'll grant that the possibility of chaining one exploit into another... but only in the sense that ANYTHING is possible. It's possible that the Earth could explode in the next 0.2 seconds. It is, however, not probable.
    Safari doesn't have to ship with malicious code; CVE-2022-32893  allows an attacker to inject their own code into the Safari process and execute it. At this point sandboxing should kick in and limit the damage, but CVE-2022-32894 allows the possibility of that attacker's code being run with kernel privileges, at which point it's game over. This is not an unlikely event; it's an absolutely textbook example of an exploit chain. 
    muthuk_vanalingamFileMakerFellerctt_zhlkruppzimmiejony0beowulfschmidt
  • Reply 27 of 28
    looplessloopless Posts: 325member
    Many are mostly missing AI’s point here. There have been many similar vulnerabilities patched over the years. One can argue they are very important…
    But why the whipped up hysteria over this one?
    Stock market manipulation does seem a distinct possibility.
    jony0watto_cobra
  • Reply 28 of 28
    larryjwlarryjw Posts: 1,031member
    bluefire1 said:
    cpsro said:
    I’ve a good idea why Fox News has made the update their lead story: distract from Weisselberg flipping and getting a very light sentence for pleading guilty to 15 felonies. Maybe the story will push some people to Android, too, where they can be tracked and monetized better.

    Update: the security update has been pushed into second place by a critical story about transgender students.
    It was a major news story on a number of networks such as ABC.
    One wonders how it comes to be that a typical security update from Apple becomes the big story. All the owners and editors get together and decide the next day's content, and what not to cover? Or maybe it's the advertisers? 

    And this security flaw seems to have been around for some time but discovered only recently. 
    watto_cobra
Sign In or Register to comment.