SOPA Images/LightRocket via Getty Images
Apple is caught in something of an infinite update loop that has prompted something of a negative response among some users as updates are shotgunned out with unusual frequency. This has been awkward for Apple—and it just got worse. The tech giant has issued a latest set of updates that include some serious security patches—those of the arbitrary code execution and escalated system privileges variety. The issue for Apple is the usual “update now” advisory notice issued by the Cybersecurity and Infrastructure Security Agency (CISA) of the U.S. Department of Homeland Security. And the sheer range of products and the number of security patches for each makes for sober reading.
With CISA warning users to update their devices, and this warning being picked up by some media outlets, how concerned should you be? Apple often applies security patches in batches, and so that in itself is not unusual. The extent of this set of updates, though, is noteworthy. And although there is not much published detail on any of the vulnerabilities that have been patched, the usual CISA warning that users should apply updates to address the risk that “an attacker could exploit some of these vulnerabilities to take control of an affected system” does pertain here. System level vulnerabilities that potentially enable attackers to remotely execute code, intercept network data or escalate privileges are serious. The most notable updates are iOS 13.2, iPadOS 13.2 and macOS Catalina 10.15.1, and have been combined with other fixes.
DHS / CISA Online
A taste of the security vulnerabilities patched with iOS 13.2 includes forced memory leakage, unauthorised App Store logins, a weakness in URL processing that might enable an attacker to intercept traffic and target a device, as well as specific issues with core apps—including video, audio and contacts—and the potential for apps to access restricted parts of the system or escalate system privileges during an attack. There is also a privacy issue, where a screen could be recorded without any visible notification for the person using the device.
For Mac users having taken the Catalina plunge, there are also memory leak issues, a graphics controller issue that could enable an application “to execute arbitrary code with system privileges,” as well as further “arbitrary code execution” issues. Then there are the same secondary issues around unauthorised logins where a device has already logged in successfully and application specific issues.
The CISA notice was issued on Wednesday 30 October—with the wide range of devices covered standing out—iPhones, iPads, Macs, Watches and Apple TVs—as well as iTunes, iCloud and Safari. CISA listed the products and linked to relevant security pages. An awkwardly extensive list for Apple users to digest.
Taken in isolation, the fact that Apple issues security fixes in batches as it updates core software might be overlooked. But the company has shaken the confidence of its loyal user based in recent months, as a number of security issues have made headlines. And that means confidence is more delicately poised than usual.
For Apple, coming in the wake of the other security issues—the targeted WhatsApp hack, the Chinese malware attack on the Uighurs, the reincarnated jailbreak option, there will be a hope this slips by as unnoticed as possible. And, in truth, the issues have been raised and patched. In theory the risk is contained. Unless of course you subscribe to the view that Apple’s lockdown is not what it was, its systematic approach to testing has been found wanting, the risk of further issues might be looming in the background.
Apple
I have applauded Apple before for its expedient if silent approach to security. The company doesn’t comment on matters such as this, although it was approached ahead of publishing. I welcome the speed of the fixes—despite criticism for the frequency of recent updates. Despite the lack of publicity available on the various vulnerabilities in the multiple updates, it is obvious that users who have applied iOS 13 or iPadOS 13 updates, or moved to Catalina, should apply the newest updates right away. If you haven’t taken the plunge into one of the new operating systems, then just make sure you keep whatever you are using updated. As ever, the usual advice pertains: Keep your devices patched at all times, as Apple always cautions, and remember that updates are rushed out for a reason.
