When Apple shipped a set of security patches for iPhones, iPads and Macs on August 17, it notified users with its customary, generic language: “This update provides important security updates and is recommended for all users,” the update prompt on an iPhone read.
But users who clicked through Apple’s update-advisory page to see descriptions of individual fixes got a more alarming cybersecurity story.
“Processing maliciously crafted web content may lead to arbitrary code execution,” a description of iOS 15.6.1 and iPadOS 15.6.1 states. “Apple is aware of a report that this issue may have been actively exploited.”
Translation: Visiting the wrong web site can put malware on your device, and it looks like attackers are already using this vulnerability.
The consensus among security experts was not to panic, but to patch “as soon as possible,” per an advisory from the government’s Cybersecurity & Infrastructure Security Agency.
But then Bank of America got into the act, sending an unprecedented email to customers saying, “We noticed the iOS software version you’re using on your mobile device and/or the Safari browser on your computer may need to be updated.”
It’s unclear how BofA decided that in my case, as my Safari history shows I last visited its site in June and I don’t have its app installed on my iPad. Bank publicists did not answer questions sent via email.
Two security experts said this Apple episode showed we need more clarity about patches requiring imminent attention.
“Organizations can do a better job of clarifying to the public which updates should be prioritized today and which ones should be prioritized within the next week or so,” said Rachel Tobac, CEO of SocialProof Security, in a Twitter direct message.
Tobac added that if the vulnerabilities patched by Apple were being used by nation-state attackers, “folks in the public eye, journalists, activists, government officials, etc.” face a higher risk than everyday people.
Dustin Childs, senior communications manager for TrendMicro’s Zero Day Initiative, said on a video call that update fatigue compounds this problem. “It seems that they happen so much that it’s difficult for consumers to tell when it’s a regular update and when it’s an increased threat,” Childs said.
Childs said that if Apple can use iOS notifications to market its own services, it should use them to flag urgent alerts. “If I can get a notification about a three-month trial for Apple TV, then certainly you should be able to send a notification saying there are active attacks.”
Scott Radcliffe, an Apple spokesperson, provided a statement over email that said in part.
“Security researchers agree that iPhone is the safest, most secure consumer mobile device, and we work hard to keep it that way, which is why there has never been a widespread malware attack on iOS,” Radcliffe said. “Apple has long led the industry in customer adoption rates for software and security updates, and we’re not standing still – we’re doing even more to help users receive the latest protections.”
The upcoming iOS 16, previewed in June and due this fall, includes a “Rapid Security Response” feature. This will push important patches to devices automatically without requiring a full operating-system update–which today can leave an iPhone or iPad unusable for 10 minutes or more during installation.
Noting that inconvenience factor, Tobac advised making an Apple security update your day’s last computing chore: “When you hear it’s time to update, set up those updates before you go to bed.”
Rob Pegoraro is a tech writer based out of Washington, D.C. To submit a tech question, email Rob at [email protected]. Follow him on Twitter at twitter.com/robpegoraro.
The views and opinions expressed in this column are the author’s and do not necessarily reflect those of USA TODAY.
This article originally appeared on USA TODAY: Apple’s recent iPhone security fix puts spotlight on transparency
Source: https://finance.yahoo.com/news/security-patches-iphone-come-time-143109808.html
