If you’re an Apple user, or if you have any Apple devices in your organization (or in your circle of friends and family), take note that the latest round of security fixes arrived today.
After the update, you should have:
Use Settings > General > About to see pertinent information, including the model name, serial number, and current operating system version of your device.
These fixes correct a wide range of vulnerabilities, including:
• Security bypass bugs in numerous system apps and components.
Simply put, built-in security precautions that you take for granted, such as blocking screenshots of your password manager, could be sidestepped by cybercriminals or state-sponsored attackers.
These flaws could allow attackers to pull off a variety of tricks, such as: snooping on network connections; taking screenshots even when the system should have prevented them; logging keystrokes without permission; viewing private data right from the lock screen; extracting a full list of your installed apps; and injecting fake URLs into the browser’s address bar, thereby making malicious websites look legitimate.
• Memory mismanagement inside the kernel itself.
Rogue apps could provoke system crashes, or with slightly more subtlety make unauthorized memory changes in the kernel.
As its name suggests, the kernel is the most privileged part of the operating system, responsible for setting and managing the security of the entire device.
The kernel prevents apps from accessing data and components they don’t have permission to use, such as your contact list or the built-in camera; it keeps apps apart so they can’t snoop on each others’ behavior without your permission; and it stops you installing unapproved apps that haven’t come from the Apple Store.
Undermining the security of the kernel therefore affects your entire device, possibly even allowing attackers to “jailbreak” it surreptitiously, a jargon word that means to escape from Apple’s strictly-regulated walled garden of permitted apps and behaviors.
If you’re a LinkedIn user and you’re not yet following @SolCyber, do so now to keep up with the delightfully useful Amos The Armadillo’s Almanac series. SolCyber’s lovable mascot Amos provides regular, amusing, and easy-to-digest explanations of cybersecurity jargon, from MiTMs and IDSes to DDoSes and RCEs.
Even if you know all the jargon yourself, Amos will help you explain it to colleagues, friends, and family in an unpretentious, unintimidating way.
When conducted without your consent or knowledge, jailbreaking typically allows attackers to circumvent any existing controls or security options without producing any visible side-effects.
This could leave you quietly and unobtrusively infected with all-seeing spyware or malware that can’t be removed, or even detected, using conventional tools.
• WebKit memory handling bugs that could lead to crashes or RCE.
The vulnerability class known as RCE (remote code execution) is typically considered the most dangerous, as the name itself suggests.
On iPhones and iPads, all apps that download and show web content are required by Apple to push that content through WebKit to render it for display.
This includes Safari, all third-party browsers, and any browser-like components built into apps such as social media and online shopping tools.
In theory, having one carefully-curated web rendering engine for everyone can improve security, because web content could come from anywhere, is untrusted by default, and needs to be treated with great care.
But in practice, of course, this centralization means that any exploitable RCE bug in WebKit simultaneously exposes you to attack via muliple apps.
Any iPhone software that displays any sort of web content inherits WebKit’s bugs, even if it’s just a modest help system coded into a simple app.
Simply put․․․
․․․ Don’t delay, patch today!
Even if your device is set to download and install updates automatically, get into the habit of checking regularly that you really do have the latest version.
Head to Settings > General > Software Update to make sure.
It takes just a few seconds to check, and if you haven’t received the update yet (you might be at the tail end of the update queue, for all you know!), then you can kick the process off right away.
And to protect your mobile devices against exploits and attacks that aren’t easy to detect using the tools built into your device itself, take a look at SolCyber Mobile Protection.
Many cybercriminals and state-sponsored attackers – digital enemies who have plenty of Bitcoin in their wallets for secretively buying up undisclosed hacks and attacks – go above and beyond in their offensive behavior.
Why not go above above and beyond in your own defense?
Learn more about our mobile security solution that goes beyond traditional MDM (mobile device management) software, and offers active on-device protection that’s more like the EDR (endpoint detection and response) tools you are used to on laptops, desktops and servers:
Paul Ducklin is a respected expert with more than 30 years of experience as a programmer, reverser, researcher and educator in the cybersecurity industry. Duck, as he is known, is also a globally respected writer, presenter and podcaster with an unmatched knack for explaining even the most complex technical issues in plain English. Read, learn, enjoy!
By subscribing you agree to our Privacy Policy and provide consent to receive updates from our company.
