Mobile

Updates to Apple’s Day Zero Update Story – iPhone and iPad Users Read This! – Naked Security

Updates to Apple’s Day Zero Update Story – iPhone and iPad Users Read This!  – Naked Security

Updates to Apple’s Day Zero Update Story – iPhone and iPad Users Read This! – Naked Security

Regular readers will know two things about our stance on Apple security patches:

  • We would like to get it as soon as possible. Whether it’s an upgrade to the full version that also includes a set of security fixes, or a point release (one in which the leftmost version number doesn’t change) with the primary purpose of debugging rather than adding new features, we’d rather err on the side of implementing known security fixes than leave Our devices have vulnerabilities that attackers are now aware of, even if they don’t know how to exploit them yet.
  • However, we often find Apple’s handouts confusing. For example, you don’t quite know where you are if you’re stuck on a version that hasn’t been updated this time around.

Apple’s latest security bulletin, released Earlier this weekseems to exemplify how the company sometimes seems to add to the confusion by saying too little… and it’s not always a happy alternative to discovering too much:

emerging confusion

Based on the inquiries and comments we have received from readers in the past few days, the following confusion has emerged:

  • Why did one security bulletin describe updates dubbed iOS 16.1 and iPadOS 16? We know iPadOS 16 has been delayed, so does this latest update mean that iPadOS is now only patched to the same security level as iOS 16, which was released over a month ago, while iOS has advanced to 16.1, thus leaving iPadOS over five weeks adrift In terms of cyber security?
  • Why did iPadOS 16 eventually report itself as version 16.1? (Thanks to Stefaan from Belgium for taking and sending screenshots of the iPad update process.) After the update, About The screen apparently says iPadOS 16, as did the security bulletin, while iPadOS Version The screen explicitly says 16.1. It’s as if iPhones and iPads now not only support the “version family known as 16”, but both also have the latest security fixes, so why not call them version 16.1 all over the place for clarity, including in the security bulletin and on About Monitor?
  • Where did macOS 10 Catalina go? Traditionally, Apple drops support for macOS X-3 when version X is released, but that’s the actual explanation for why macOS 11 Big Sur and macOS 12 Monterey (versions X-2 and X-1 respectively) got updates while Catalina didn’t. R?
  • What happened to iOS / iPadOS 15.7.1? When iOS 16 went out In September 2022, the previous version family received important updates as well, moving to version 15.7. This includes a critical fix for closing a file A zero-day hole at the nucleus level Under active exploit, which often translates as “someone out there hacking spyware on iPhones, folks.” So, due to the inclusion of iOS 16.1 yet another Zero-day kernel fix, probably shuts down a path being exploited by more spyware, Where was the corresponding patch for the iOS/iPadOS 15 family, which by analogy you’d assume would be 15.7.1?

As we said in Yesterday’s podcastto the fourth question above from an interested reader, our short answer was simply, “Duck: I don’t know. / Doug: Clear as mud.”

Sometimes, OS version X security bugs simply don’t apply to version X-1, for example because the bugs are only in code that has been added, or only compromised, in later versions.

But we also saw that Apple failed to produce updates for previous versions for two other reasons as well [a] Because the update is urgently needed, but it turned out to be very difficult to prepare and test in time, or [b] Because the previous version is now considered out of support, it will not be updated, whether it is necessary or not.

And with Apple security bulletins always telling you only what patches are available at the moment, regularly missing updates remain an unexplained (and unexplainable) mystery.

Explosion flyers

Well, this morning we received a batch of 15 security bulletin emails from Apple, most of which list the many bugs and security issues reported in the bulletins we actually saw earlier in the week.

None of them directly explained the first three questions above, although we now assume that the reason why Apple referred to “iPadOS 16” as well as to “iPadOS 16.1” may have been a misguided attempt to convey the information that iPadOS is now overdue Raising the level of For the 16 family version, in addition to obtaining a file Modernization Equivalent in security fixes for the new iOS 16.1.

But the first flyer in Apple’s latest release has solved the last question mentioned above, by announcing iOS/iPadOS 15.7.1, which turned out to be decisive reform:


APPLE-SA-2022-10-27-1: iOS 15.7.1 and iPadOS 15.7.1

iOS 15.7.1 and iPadOS 15.7.1 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/HT213490.

[. . .]

Kernel
Available for: iPhone 6s and later, iPad Pro (all models), 
iPad Air 2 and later, iPad 5th generation and later, 
iPad mini 4 and later, and iPod touch (7th generation)

Impact: An application may be able to execute arbitrary code 
with kernel privileges. Apple is aware of a report that this 
issue may have been actively exploited.

Description: An out-of-bounds write issue was addressed with 
improved bounds checking.

CVE-2022-42827: an anonymous researcher

So, iOS/iPadOS 15 is still supported, and if you didn’t upgrade and upgrade to iOS 16.1 (or to iPadOS 16-that-is-16.1 also called dissociatively) earlier in the week…

…then you have to make sure of it Get iOS / iPadOS 15.7.1 right awaybecause CVE-2022-42827 kernel zero-day hole installed in iOS 16.1 is in iOS/iPadOS 15.7, under active exploit.

In other words, this was one of those cases where the reason for a missing update a few days ago was simply that the patches weren’t ready in time.

What do I do?

TL; DR If you are an iPhone or iPad user: If you are still using the major iOS / iPadOS 15, go to Settings > general > Security update Immediately.

Check even if you have automatic updates turned on, and remember not only to agree to the download if you do not already have it, but also to force your device despite the installation stage, which requires one or more reboots (which, of course, take your phone or tablet to offline mode for a while).

TL; DR If you are an Apple: A little more clarity would go a long way in security bulletins, especially when you know that an important update is suites for users of previous versions, or that they won’t need an update because their version isn’t affected.

By the way, if you decided to migrate to iOS/iPadOS 16.1 earlier this week, just to be safe…

… Now you can’t downgrade to iOS/iPadOS 15.7.1, because Apple doesn’t allow downgrade.

(Downgrades facilitate jailbreaking, which Apple aims to prevent, and in any case may require wiping all data first to prevent downgrade being used as a malicious “bring your own fault” security bypass for personal information intrusion.)




#Updates #Apples #Day #Update #Story #iPhone #iPad #Users #Read #Naked #Security

مقالات ذات صلة

اترك تعليقاً

لن يتم نشر عنوان بريدك الإلكتروني. الحقول الإلزامية مشار إليها بـ *

زر الذهاب إلى الأعلى
سيتات آورج 2022 سيتات آورج 2022