A Little (rot) Insecurity in the Apple Core
On August 17th & 18th 2022 Apple Inc. released security updates for multiple products and devices to address security vulnerabilities across their tech estate including macOS Monterey, iOS, iPadOS and Safari (Big Sur & Catalina). Here’s some background. This type of threat vector puts the user at risk and systems without the update which are unpatched have an increased exploit surface area – i.e. the area in which a hacker could compromise an affected system. The smaller the surface the less the threat.
This vulnerability allows a malicious user or bad actor to take complete control of an Apple device aka an ‘0 day’ where a system is ‘pwned’ or literally owned, by someone other than rightful user. All affected systems should be updated immediately as this type of ‘privilege escalation’ attack severely affects Confidentiality, Integrity & Availability what in the security world is called the CIA triad.
Am I affected, what’s being done and what should I do?
Here is the list of affected devices and software released from Apple Inc., Cupertino and the best solution to correct the issue:
Affected Device / Software | Remediation, action to take |
macOs Monterey | Update Operating System to 12.5.1 |
macOs BigSur (Safari browser) | Update Safari browser to 15.6.1 |
macOs Catalina (Safari browser) | Update Safari browser to 15.6.1 |
watchOs 8.7 | Update watchOs to 8.7.1 |
iOS 15.6 | Update iOS 15.6.1 |
iPadOS 15.6 | Update iPadOS 15.6.1 |
To make the table above clearer for users to understand each affected device been placed in an individual row for clarity. To add further detail multiple mobile phone devices running outdated versions of iOS are affected including ‘iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later‘ so to are multiple iPads, ‘iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)‘. The information italicised above was taken from the Apple website.
Owning mistakes
Apple Inc. in its usual fashion has been very piecemeal and parsimonious when it comes to releasing information about their security threats doing all but the bare minimum to inform its users. For example on the official Twitter accounts for Apple (@Apple) and Apple Support (@AppleSupport) as far as I can see there is no information about this. Similarly on the apple.com official News website there is again no mention. Instead there is the usual slew of marketing, branding and slick images promoting the latest product lines and products.
I can understand the wish for companies to avoid negative publicity however in the tech sector as in others the following question can assert itself, are companies (in this case Apple) putting their own needs above that of its customers? Broadly speaking the answer is definitely yes!!!
Companies are self-interested, self-perpetuating and in many ways self-regulating so they can do what they like until some Law is passed that affects operations as in the case with GDPR (That’s the General Data Protection Regulation) and PII (Personally Identifiable Information).
Notwithstanding the above. People as well a companies will not necessarily volunteer information that could otherwise affect their reputations. That’s natural, but given this is a major security threat affecting millions of devices and given the press will hear about it anyway – I personally think Apple’s stance should have been to ‘own it’ especially as the previous security update from Apple fixing a very similar vulnerability was released only in July 20th 2022, which is essentially less than a month ago.
Rebranding integrity
In today’s conscious market brand affiliation counts for a lot and so does integrity. How long will consumers tolerate organisations that puts their own self interests above that of its customers? Especially when it comes to security and ethical matters. We’re currently in a ‘wage inequality’ war that ‘Minitrue’ in classic double speak has dubbed a ‘cost of living’ crisis. People’s wallets and patience are already stretched.
The company’s interests and the customers are always inextricably linked. In the past Apple has delighted its users and of course running one of the biggest software & hardware technology companies in the world comes with its myriad challenges plus you cannot please everyone. Furthermore software with a 0% vulnerability threat surface area is impossible! However when things inevitably do go wrong clear and simple information should be released to reach the widest number of affected users. The posture of damage limitation by reducing the number of keystrokes on a topic and communication aversion is harmful to users.
The largest constituency should be reached so the updates can propagate to the highest volume of users, makes sense right? Sending a simple email reminding users to update and the risks of not doing so would be a great second factor. Not all users have auto-updates turned on, they tend to ignore these as they’re technobabble on steroids and many avoid new software updates because they’re precisely worried about issues such as security threats on newer software and performance or hardware issues. It’s a common problem that businesses don’t communicate what they should but rather what they think they should. :/
Room for improvement
As an Apple user of over twelve years I feel the ethos of what personal computers were and how they evolved is being closed down. Computers allowed competent enthusiasts and repairers to maintain and expand their machines potential and exceed original programming (just like commander Data 🙂 ) including upgrading RAM, hard drives, storage space or repairing devices when a component fails like the screen, speakers or wifi etc.
Late 2012 13” and 15” Retina MacBook Pro models’ components were ‘soldered’ on to the motherboard which means you cannot just unscrew and replace. This move by Apple Inc. to a much more restricted model hurts the consumer for example the RAM and Hard Drives which are the main upgradable hardware become ‘fixed at the time of purchase.
Also if a user tries to open up their mac to do any repairs they can void their warranty. Effectively this is railroading consumers into paying monthly costs for AppleCare or coughing up exorbitant costs to repair their devices out of warranty. It’s this antithetical approach to what computers are which from a consumer point of view turns my stomach.
Of course, not all consumers are confident enough to conduct self-repairs however a large cohort definitely is. So it is pleasing to see that Apple has released Self Service Repairs in 2021 for mobile and extended that to Mac Silicon Notebooks in 2022. However this falls way short of upgrading the device which would have offered much better versatility and value to the customer.
Summary
Finally I would like to point out that when considering the 13” and 15” Retina MacBook Pros of 2016 (usb-c port models) these posed a lot of problems for users and conversely Apple Inc. including many recalls and issues due to fragile build quality including screen FlexGate, Keyboard replacement and thermal expansion screen popping. All the above is the result of ‘slim-lining’ the product. As a result the hardware was not durable enough or fit for purpose the keyboard was too weak and the flex in the screen output too thin. This is what happens when you sacrifice quality for aesthetics which is not innovation! While its good to see there were recall programmes for the keyboard and flexgate for 13” models, I do not see why Apple Inc. even after it was taken to court and found negligible for FlexGate has only released the repair to 13” devices not for 15” and thermal expansion popping is a ‘just live with it’ condition.
For the moment I’m avoiding Apple products even as new 14” and 16” M1 and M2 Macbook (release next year tbc) devices are taking a welcomed step back to the peripheral connectivity and robustness of Late 2012 to 2015 Retina MacbookPro models. However as a consumer I feel something of a guinea pig especially as Apple Inc. has not released a repair programme for FlexGate 15” models and there are many devices affected.
If you think you may have spotted a vulnerability, hardware or software fault you can always report it to Apple Inc.
Reference links
https://support.apple.com/en-gb/HT201222
https://support.apple.com/en-us/HT213412
https://support.apple.com/en-gb/HT201220
https://twitter.com/AppleSupport
https://www.apple.com/uk/newsroom/2021/11/apple-announces-self-service-repair/
https://www.apple.com/uk/newsroom/2022/08/apple-expands-self-service-repair-to-mac-notebooks/
https://support.apple.com/en-gb/13-inch-macbook-pro-display-backlight-service
https://support.apple.com/en-gb/keyboard-service-program-for-mac-notebooks
https://discussions.apple.com/thread/7825434
https://www.macrumors.com/2021/04/01/apple-flexgate-macbook-pro-models-court/