Apple breaks update policy to secure older iPhones and iPads against zero-day
It's been four years since the company patched an end-of-life device against a major vulnerability
Apple has made a rare exception to its policy of not patching older-than-officially-supported devices by releasing security updates for the iPhone 5s and newer following the ‘severe’ zero-days discovered in August.
The zero-day vulnerabilities affecting iOS, iPadOS, and macOS Monterrey essentially granted “administrative superpowers” to hackers, according to some security researchers.
The two ‘critical’ vulnerabilities could be chained together to gain control of an entire device with kernel privileges, Apple said at the time.
It meant attackers who managed a maliciously crafted web page could exploit an Apple device and assume control of features like the camera and microphone, and carry out other activities such as spying on apps and accessing nearly all data stored on the device.
Apple very rarely breaks its own policy of not applying security patches to unsupported devices. Apple currently supports iPhones as old as the iPhone 6, but this week’s updates push fixes to devices such as the iPhone 5s, iPad Air, iPad Mini 2, and the iPod touch (6th generation).
The last time it issued a backported fix for a major vulnerability was in 2018 when it updated older Macs to protect against the infamous Meltdown vulnerability affecting most Intel chips in use at the time of discovery.
The discovery of Meltdown was a significant one - Intel was the dominant chipmaker, for some time, in the PC and Mac market and the vulnerability was found to affect nearly every Intel chip from the previous 20 years.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
The exploitation of Meltdown would allow attackers to ‘melt’ the kernel-level restrictions on the chip’s hardware and potentially access highly sensitive protected data.
It’s common for tech companies to decide when a device goes ‘end of life’ - the point at which it will no longer receive security updates. It can make the creation and management of security fixes easier but companies have drawn criticism over the practice which has been seen by some as a way of forcing users to pay for newer hardware sooner than needed.
Apple, however, is known to be one of the companies that offer the most amount of updates to older hardware with the current policy extending to iPhone 6 devices, released in September 2014 - eight years ago.
Other manufacturers in the Android ecosystem offer comparatively fewer updates for their devices. The generally perceived average is that Android OS devices will receive three years of security updates.
This can vary by manufacturer, though. For example, Samsung offers four years of security updates (five for enterprise devices) and other companies like Xiaomi offer no guarantees on the number of security updates they will provide users.
The Apple zero-days explained and analysed
Apple fixed two zero-day vulnerabilities, that may have been actively exploited in the wild, earlier in August.
The first of these, tracked as CVE-20220-32893, was a remote code execution (RCE) flaw in WebKit, Apple’s proprietary browser engine.
Cyber resiliency and end-user performance
Reduce risk and deliver greater business success with cyber-resilience capabilities
The vulnerability was exploitable in any WebKit-enabled browser such as Safari and all in-app browsers on iOS and iPadOS. It meant that nearly all devices could be exploited given the prevalence of in-app browser use, regardless of whether the user’s default browser was changed from Safari or not.
The second flaw, tracked as CVE-2022-32894, was a bug that required the attacker to gain an initial foothold on the target device to exploit it. The aforementioned WebKit vulnerability would have granted the necessary privileges to exploit the second.
It was a kernel-level code execution bug and the pair together garnered widespread attention from the world’s media given the severity of the potential outcomes.
Apple releases security updates for its devices usually, at least, every month so it’s not uncommon for users to skip an update or two due to the time it takes to download and install them on each device.
The widespread reporting on the vulnerabilities could have influenced Apple to break its policy on providing security fixes for end-of-life devices - Apple has not commented on this explicitly, though.
Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.