Make sure you patch your iPhone and iPad to the latest patches now

Google has advised of 5 serious vulnerabilities in Apple’s messaging that have been patched but also one has not been so Google have not advised publicly what it is.

If you own an iPhone or iPad make sure you patch immediately if you haven’t recently and keep patching regularly to ensure you get the fix for the undisclosed one as soon as it is released. Some researchers are saying the unpatched fault has had enough detail released that hackers may be weaponising it soon as they search for the problem. From the linked BBC article " News site ZDnet - which was first to report the matter - noted that the level of detail shared by Google about the other bugs could be enough to let bad actors craft exploits to take advantage of them. Users should download iOS 12.4 “with no further delay,” it added."

Hmmmmm… Google… iOS competitor…

12.4 came out a week ago, I and most of my friends install updates as soon as they land. (I say most because there are some who just don’t think about security at all… one I’ll be seeing today, and I’d bet she’s not even on 12.anything)

It’s not so much that it is Google but the Zero Day team who look at all that type of stuff, they are pretty well thought of in the industry. They did advise Apple who then created the patches for the 5 fixed ones but as Apple hasn’t yet patched the 6th effectively they held off releasing exact detail. The news is only breaking now as the patch has had time to be installed before crims got the whiff, but like you advise not everyone has…thus the warning.

Yeah… I guess… I am just cynical about anything done by Alphabet/Google. Maybe I shouldnt be.

From the BBC article:

" But the researchers said they had also flagged a sixth problem to Apple, which had not been rectified in the update to its mobile operating system.

“That’s quite unusual,” commented Prof Alan Woodward, a cyber-security expert at the University of Surrey.

“The reputation of the Google Zero team is such that it is worth taking notice of.”

The Project Zero team was established in July 2014 to uncover previously undocumented cyber-vulnerabilities. It has previously alerted Microsoft, Facebook and Samsung, among others, to problems with their code."

Note they advise any tech company so that vulnerabilities can be patched. Some teams are just out there to help, as it benefits them, their users as well as the competitors.

We are withholding CVE-2019-8641 until its deadline because the fix in the advisory did not resolve the vulnerability

— Natalie Silvanovich (@natashenka) July 29, 2019

And trust me I too am hesitant to say the least about Google and some of it’s practices, I just don’t fault the Zero team for their work.

If you read the patch notes at About the security content of iOS 12.4 – Apple Support (UK) it acknowledges the Google Zero Team among other acknowledgements of other problems by other researchers.

The one not successfully/fully patched accordding to Google Project Zero Team is this one:

Foundation

Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation and later

Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2019-8641: Samuel Groß and Natalie Silvanovich of Google Project Zero

Google has a highly regarded team that searches for bugs in all sorts of software - including its own. They notify the responsible party when they find a bug, and give them 90 days to fix it before publishing details. The 90 day limit is an incentive to the software company to fix its problems fast; unfortunately Microsoft has recently fallen foul of the deadline on a few occasions and been left red-faced as Google published the flaws.

Another article regarding the iPhone vulnerabilities.

A new vulnerability that is a zero day one has been patched in the latest software update to iPhones. The update 15.0.2 should have been auto installed, but check to ensure it has been.

A news article explaining the problem can be read at.

https://www.theregister.com/2021/10/12/apple_ios_15_0_2_zero_day_patched/

There are other vulnerabilities that have taken Apple some time to address (if they have even been addressed).

https://www.theregister.com/2021/09/24/apple_zero_day/

https://www.theregister.com/2021/09/22/macos_rce_flaw/

I wonder how that might affect those of us who have chosen not to upgrade to iOS15 yet.

Both the iPad and iPhone are still advising they are up to date on IOS 14.8.

IOS 15.0 is listed, and is/was advised as an optional upgrade.

MacWorld as of 5 hrs previous is open minded and makes no comment on the exploit. It also indicates the latest release is number 15.1?

Is the exploit related to version 15.0 but not 14.8?

P.S.
According to Cnet the ‘Pegasus’ patch was supposedly part of 14.8? I’m now unsure and not update to 15+ until there is some further clarity from Apple.

15.1 is a very recent release, with no current notes as to any CVEs patched in it. Apple on their security site list the latest CVE patches as the 15.0.2. Patching to 15.1 would patch the CVEs fixed in 15.0.2…there are several other Apple OSes such as tvOS that have current patches available as well.

14.8’s CVE fix breakdown is available here

15.0.2 CVE issue is described here

Understood. But Apple are not advising users of 14.8 that they need to upgrade for an import security update.

Previously Apple has added that notation to the recommended updates advice. That advice is not there on either of my devices despite them rechecking for updates this morning. It has been 2 weeks since 15.0.2 was available. Hence the proposition it’s a vulnerability fixed in 14.8, but left open in 15.0 which is a new release.

My take only.
Are other community members with 14.8 seeing similar and those on 15.0 receiving a different message to install the update for improved security?

MacWorld is certainly one close to the action and has no further comment.

Forbes published 2 articles regarding the IOS 15.0 and updates.

On 11 Oct

On 12 Oct

Apple iOS 15.0.2 Verdict: If You’re Running iOS 15, Upgrade

iOS 15.0.2 is yet another rapid fire release from Apple as it looks to fix the lorry load of bugs that (somehow) made it all the way through iOS 15 beta testing. Unlike iOS 15.0.1, the new release appears to effectively address the flaws it sets out to fix without causing many new problems and it throws in a crucial fix for an actively exploited zero-day hack as well.

IOS 15.0 is a whole new version, and not just an update.

Forbes said:
Consequently, if you’re already on the iOS 15 rollercoaster, this is an upgrade worth getting. For everyone still sitting pretty on the bug-free dream that is iOS 14.8, you might want to wait for iOS 15.1 — a much more substantial update (see below) — which is likely to be released late October/early November.

Forbes acknowledged 15.0.2 included an un-announced security fix for IOS 15.0.

The first Forbes article notes that the fix in 15.0.2 has not been fixed in 14.8 and they don’t know if a fix will be rolled out in 14 to address the issue as Apple are keen for users to update to 15. So perhaps a reason to update.

Apple has rolled out update 14.8.1 for IOS. Notifications popped up yesterday.

The IOS 15.x updates are still offered as optional and not essential.

Update 14.8.2 appears to list the same core updates, by CVE number as that released for 15.1.

When I saw that iOS15 was optional, I decided not to. I updated to 14.8.1 last night.