Apple released an important patch to iOS, iPadOS and MacOS in mid-July that did its usual job of removing bugs, cleaning up security and adding a couple of features. It was the usual Apple update, and most users applied it.
Then, a few days later, another update came out with little fanfare from Apple. Fortunately, plenty of other sources on the Internet noticed it, and started calling it an emergency update. The advice from everywhere was to stop whatever you were doing, and run the new update bringing iOS and iPadOS up to 14.7.1, and MacOS to Big Sur 11.5.1.
The reason it was considered an emergency is because the flaw allowed attackers to penetrate the machine and take it over. Once they did that, the attacker had full access to everything on the device. Worse, it was actively being exploited, meaning that cyber criminals were already breaking into machines.
This security vulnerability is considered a “zero-day” because it was in the operating system when it was released by Apple, and could be exploited immediately. Because the attackers were penetrating machines as quickly as they could find them, it was indeed an emergency. Ironically, the vulnerability was originally found by a Microsoft employee, who didn’t get around to reporting it at once.
Apple’s ‘Worry Free’ Past
Apple was once considered a secure platform to the point that users frequently didn’t bother to install anti-malware software. But as the company’s devices have become more widespread, criminals have focused on them. For that matter, so have other types of bad guys, including an Israeli company that publishes the Pegasus spyware. Apple still hasn’t patched its iMessage software, which has a zero-day flaw Pegasus uses to install itself into iOS devices.
But Apple is by no means unique in suffering zero-day attacks. Google has just patched a zero-day vulnerability in its Chrome browser that runs on Windows, MacOS and Linux platforms. That exploit required convincing a user to visit a website that had code that can allow access to the computer. Once that happens, the criminals can take over the computer.
And of course Microsoft Windows has had its own problems with zero-day attacks, recently through an attack called PrintNightmare.
Challenge of Zero-Day
The problem with zero-day attacks is that they frequently happen before most anti-malware software can be updated to recognize them. But the good news is that patches are usually released quickly, as was the case with the Apple vulnerability. But to be useful, those patches must be installed on the target systems immediately. Waiting around only increases your chances of being attacked and suffering a data loss.
Unfortunately, there are plenty of excuses for not updating and patching systems immediately. The update might break an application. It’s too time consuming. You don’t have enough staff. You want to check the bug reports. Your system isn’t on the Internet. We’ve heard them all, but none of those is a good reason.
If your applications are being broken by updates, then it’s time to find another vendor. It’s not nearly as time consuming as recovering from a ransomware attack. There’s never enough staff, but other companies do it anyway. By the time you see the bug reports, it’s too late. And not being on the Internet doesn’t protect you – the safety of air-gapped systems is a myth.
What needs to happen instead is that you plan for updates and patches, and name someone in your organization to be the one to make sure they’re applied in a timely manner.
What you don’t want to see is the report, when it comes out on the news, that your company suffered an attack because your systems were unpatched. Imagine how your board will like that.