Apple has made a rare exception to its policy of not patching older-than-officially-supported devices by releasing security updates for the iPhone 5s and newer following the ‘severe’ zero-days discovered in August.
The zero-day vulnerabilities affecting iOS, iPadOS, and macOS Monterrey essentially granted “administrative superpowers” to hackers, according to some security researchers.
The two ‘critical’ vulnerabilities could be chained together to gain control of an entire device with kernel privileges, Apple said at the time.
It meant attackers who managed a maliciously crafted web page could exploit an Apple device and assume control of features like the camera and microphone, and carry out other activities such as spying on apps and accessing nearly all data stored on the device.
Apple very rarely breaks its own policy of not applying security patches to unsupported devices. Apple currently supports iPhones as old as the iPhone 6, but this week’s updates push fixes to devices such as the iPhone 5s, iPad Air, iPad Mini 2, and the iPod touch (6th generation).
The last time it issued a backported fix for a major vulnerability was in 2018 when it updated older Macs to protect against the infamous Meltdown vulnerability affecting most Intel chips in use at the time of discovery.
The discovery of Meltdown was a significant one - Intel was the dominant chipmaker, for some time, in the PC and Mac market and the vulnerability was found to affect nearly every Intel chip from the previous 20 years.
The exploitation of Meltdown would allow attackers to ‘melt’ the kernel-level restrictions on the chip’s hardware and potentially access highly sensitive protected data.
It’s common for tech companies to decide when a device goes ‘end of life’ - the point at which it will no longer receive security updates. It can make the creation and management of security fixes easier but companies have drawn criticism over the practice which has been seen by some as a way of forcing users to pay for newer hardware sooner than needed.
Apple, however, is known to be one of the companies that offer the most amount of updates to older hardware with the current policy extending to iPhone 6 devices, released in September 2014 - eight years ago.
Other manufacturers in the Android ecosystem offer comparatively fewer updates for their devices. The generally perceived average is that Android OS devices will receive three years of security updates.
This can vary by manufacturer, though. For example, Samsung offers four years of security updates (five for enterprise devices) and other companies like Xiaomi offer no guarantees on the number of security updates they will provide users.
The Apple zero-days explained and analysed
Apple fixed two zero-day vulnerabilities, that may have been actively exploited in the wild, earlier in August.
The first of these, tracked as CVE-20220-32893, was a remote code execution (RCE) flaw in WebKit, Apple’s proprietary browser engine.
RELATED RESOURCE
Cyber resiliency and end-user performance
Reduce risk and deliver greater business success with cyber-resilience capabilities
The vulnerability was exploitable in any WebKit-enabled browser such as Safari and all in-app browsers on iOS and iPadOS. It meant that nearly all devices could be exploited given the prevalence of in-app browser use, regardless of whether the user’s default browser was changed from Safari or not.
The second flaw, tracked as CVE-2022-32894, was a bug that required the attacker to gain an initial foothold on the target device to exploit it. The aforementioned WebKit vulnerability would have granted the necessary privileges to exploit the second.
It was a kernel-level code execution bug and the pair together garnered widespread attention from the world’s media given the severity of the potential outcomes.
Apple releases security updates for its devices usually, at least, every month so it’s not uncommon for users to skip an update or two due to the time it takes to download and install them on each device.
The widespread reporting on the vulnerabilities could have influenced Apple to break its policy on providing security fixes for end-of-life devices - Apple has not commented on this explicitly, though.
-
Asus ZenScreen Fold OLED MQ17QH reviewReviews A stunning foldable 17.3in OLED display – but it's too expensive to be anything more than a thrilling tech demo
-
How the UK MoJ achieved secure networks for prisons and offices with Palo Alto NetworksCase study Adopting zero trust is a necessity when your own users are trying to launch cyber attacks
-
The threat prevention buyer's guideWhitepaper Find the best advanced and file-based threat protection solution for you
-
Supply chain as kill chainWhitepaper Security in the era Zero Trust
-
Microsoft under fire for “negligent” security practices in scathing critique by industry execNews Microsoft took more than 90 days to issue a partial fix for a critical Azure vulnerability, researchers found
-
Apple patches zero day linked to spyware campaignNews Kaspersky researchers were the first to report a zero day used in a sophisticated attack chain
-
MOVEit cyber attack: Cl0p sparks speculation that it’s lost control of hackNews The hackers return with their second major data-extortion attack of 2023, but may have bitten off more than they can chew
-
Microsoft says it knows who was behind cyber attacks on MOVEit TransferDozens of organizations may have already lost data to hackers exploiting the critical flaw
-
Trend Micro security predictions for 2023Whitepaper Prioritise cyber security strategies on capabilities rather than costs
-
Windows, macOS, and Tesla exploits debuted at Pwn2Own hacking contestNews Researchers took home more than $375,000 in winnings on the first day of the competition
