The latest Apple security update contains some fixes that you should apply to your devices, but they are nowhere near warranting the amount of ill-informed media attention that they're receiving.
Today's technology-related headlines are currently dominated by stories about security vulnerabilities "disclosed" in a variety of Apple devices. Hyperbole abounds, including discussions about how the flaws would allow a hacker to "take control" of your device.
However, despite what the headlines may have you think, there's nothing all that greatly more significant about this update than nearly every other. In fact, there have been bigger flaws patched in the last year, that were almost completely ignored by the rest of the media.
If you're new to watching the moves of the iPhone maker, this may seem like a big deal. For those of us that do it for a living, or are even just generally aware of Apple hardware and how to use it, it's just Friday.
What the latest update fixes
Apple on Wednesday released iOS 15.6.1 and a range of other software updates. It's a routine patch that addresses some bugs and vulnerabilities, and would have gone unnoticed bay the general public and media were it not for a scary-sounding flaw.
The update patches two vulnerability that Apple says may have been actively exploited in the wild, meaning that an attacker may have used them to compromise a device.
More specifically, the patch addresses a WebKit vulnerability that could allow an attacker to execute arbitrary code with elevated privileges. In other words, this means that a hacker could theoretically run malicious code on a compromised device.
But, there's still Apple's Sandbox. It's not like the entire system and all of your data could be laid bare and instantaneously uploaded by the exploit and any payload that may be delivered. And, delivery of that payload is non-trivial.
The update also fixes a similar kernel vulnerability that could allow attackers to execute arbitrary code with kernel privileges, which is another exploit that is hard to actually use. And here, again, there's Apple's multilayer approach to security that stands in the way of full data exfiltration by the exploit.
Sure, there's the remote possibility of a keylogger that might capture passwords. But, not if you're using iCloud Keychain, since you're not actually typing anything. And Tik Tok already has one in its app, and folks seem mostly unconcerned about it.
What's been patched isn't necessarily insignificant. It's significant enough to warrant an update as soon as possible.
However, this is far from an isolated "emergency" bug fix, as the folks at CNN seem to think.
This is far from unique
Apple routinely issues software updates that fix security issues. The one released on Wednesday is no different, and hardly unique.
Take, for example, this story from 2015 about Apple addressing a bug in OS X that could have led to attacks with escalated privileges. There's also this story from 2021 in which Apple patched a flaw in macOS that could have also allowed attacks to run arbitrary code.
It hasn't even been that long since the last batch of critical security patches. In July, Apple released new iOS 15 and macOS 12 updates with fixes for a range of vulnerabilities that could have allowed attacks similar to the one fixed on Wednesday.
And those didn't get a fraction of the breathless headlines like today's across the media spectrum, including footage we've seen from very local news channels that don't even know how to get the update.
Those seemingly minor point releases that many people ignore are more often than not filled with these types of security updates. And that's not even counting the actually worrying vulnerabilities.
In September 2021, Apple fixed a zero-day flaw that allowed a spyware tool called Pegasus to actually take full control of a device and spy on users. Worryingly, that spyware was used by authoritarian governments to surveil activists, journalists, and opposition candidates.
To put it another way, those vulnerabilities could have actually endangered lives. Somehow, it didn't get the type of press attention that Wednesday's flaw received.
Apple's security
It isn't clear why the update on Wednesday managed to capture the attention of the national and international press. To us at AppleInsider, and we presume just about every other regular reader, there's nothing particularly significant about it that makes it stand out among Apple's hundreds of other critical security fixes.
However, the national attention is a good time to bring awareness to the fact that you should definitely install Apple's minor point releases soon after they're available.
Apple takes both privacy and security very seriously. The company went toe-to-toe with the FBI to avoid installing a backdoor that could have compromised the security of its devices.
The company doesn't play around as it pertains to security. Back in November 2021, it even filed a lawsuit against NSO Group — the makers of the Pegasus spyware — for compromising iOS and endangering the security of its customers.
Users can do their part by actively installing the updates that Apple engineers work on. The company's security team spends a lot of time, effort, and money into finding and fixing flaws. That's wasted if people don't download and install the updates.
In other words, we're not saying that you shouldn't download and install Wednesday's update, because you absolutely should. But creating a huge hubbub down to the local news level about it is far from warranted.
Unless, that is, they want to start screaming about every update that Apple rolls out in the same fashion.
28 Comments
If it’s Apple and “bad news” it gets clicks from haters. I’m already seeing it in chat groups.
I have already switched to far more secure CB radio
I’ve a good idea why Fox News has made the update their lead story: distract from Weisselberg flipping and getting a very light sentence for pleading guilty to 15 felonies. Maybe the story will push some people to Android, too, where they can be tracked and monetized better.
Update: the security update has been pushed into second place by a critical story about transgender students.
I was wondering about this while I was reading the story this morning. How is this any different from any other security fix? They issue tons of them. The story ought to be how Apple takes security seriously.