|
Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don't do it. |
Security patches for Apple: https://support.apple.com/en-us/HT212807 Apple is patching two “in the wild” zero days – 1 in CoreGraphics (aka CVE-2021-3
[See the full post at: Security patches for Apple – Sept 13]
Susan Bradley Patch Lady/Prudent patcher
How does one install these patches?
Bill
I have Windows computers and an iPhone xr and iWatch series 5. I just did the patch on both devices (thanks to the alert by Susan here which I saw when I got on the computer today). Here’s what I do:
Place both devices next to each other. Plug iPhone into power (I use USB ports on the front of my desktop computer as the most convenient way) and make sure the iWatch is plugged into power and the watch is sitting on its charger. If your iPhone is not on automatic backup, make a backup now. Then charge the iPhone to 50% power or more and then click on the gear icon, then General and then Software Update. Follow the instructions. After the update completes, THEN update your watch. (Open watch on your phone by clicking on the iWatch icon) and follow the instructions.
Or, you can let the installations occur overnight if you have automatic update enabled on the iPhone. I don’t do this because of the danger of a fire while I am sleeping…it’s a small risk but I don’t take it. In fact, I completely turn off my iPhone at bedtime.
Minor updates, like this one, take about 30 minutes to one hour here in Hawaii. Major update takes a lot longer especially if trying to get one right after Apple releases it.
Follow these steps:
I wish Apple would be a bit more forthcoming about security vulnerabilities. A statement like ‘A specially crafted pdf file can cause problems.’ isn’t very helpful. As someone who’s been bitten to a greater or lesser degree by macOS patches – not to mention Windows and Linux Mint patches – I’ve come to view all patches with skepticism and always wait a few days or more before installing them. (Yes I have backups, images, etc, but it’s still not something I want to deal with.).
In the present case, is it any specially crafted pdf file that one might encounter through email, web surfing, etc. or only those that somehow come through iMessage, as has been implied by various media articles? Are there any mitigations or work-arounds that can be implemented while waiting to see if the patch is safe? Are there any differences between the vulnerability in an iPad, iPhone, Mac, etc. The only Apple products I have are Macs so am I safe if I just stay away from pdf files (well probably not if there really is no clicking required to get attacked). Do I only need to worry if I’m a nation-state?
Apologies if this sounds too much like a rant, but I actually am interested in answers to my questions. Any comments and/or insights would be appreciated.
This particular zero days were used in attacks via imessage on phones. It was targeted attacks and I did not see it used on the desktop, just the phones.
Susan Bradley Patch Lady/Prudent patcher
DrBonzo: Sorry not to be able to answer in particular your questions on the bugs meant to be fixed by the new released patch to Big Sur. Now, generally speaking, I am never in a hurry to install anything and, being fearless by nature, I fear not the hacked PDF goblin. Or at least not enough to be compelled by fear of it, or of something like it, to install this patch, or any patch, in a hurry.
In line with my idea of what is only prudent, I’ll wait a week or longer to do anything about this patch, keeping my ears open wide to hear any screams of anguish that might issue from the mouths of the early adopters.
Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).
MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV
I also customarily wait before installing patches – usually 2 to 3 weeks – and at the moment am thinking I’ll do the same this time.
Of course, this naturally leads to another aspect of patching that also leaves much to be desired: the role of the media and the security researchers. The former feel the need to overdramatize the situation probably in hopes that sensationalism sells, while the latter seem to be in constant need of trying to show off how smart they think they are. But by now I think we get it. Yes, bad things can happen, and yes, the white hat hackers are smart but why not try to explain things so the more typical users among us can understand just how imminent the threat is and what we can reasonably do to mitigate the problem while we wait to see just how safe a patch is?
Well, while I’m at it, here’s one last thought for software writers/developers. Instead of waiting for the black hat hackers to find the vulnerabilities that exist and then reacting to that in trying to patch things up, why not put more effort into doing it right the first time, thereby minimizing the number of vulnerabilities in the first place.
Well, while I’m at it, here’s one last thought for software writers/developers. Instead of waiting for the black hat hackers to find the vulnerabilities that exist and then reacting to that in trying to patch things up, why not put more effort into doing it right the first time, thereby minimizing the number of vulnerabilities in the first place.
I have a better idea. Why not develop an OS, browser, software… with no security holes so no security updates ? only updates for new features, new hardware support.. ?
I’m not in the habit of complimenting Microsoft, but it seems that they do make some attempt to indicate the severity of some vulnerabilities, give some mitigations and workarounds, and some indication as to whether or not an attacker needs physical access to a computer. Some of that info can be helpful; for example, if I keep my computers physically secure and an attacker needs physical access, I’m inclined to think that a patch is not terribly important to me.
DrBonzo: ” … another aspect of patching that also leaves much to be desired: the role of the media and the security researchers. The former feel the need to overdramatize the situation probably in hopes that sensationalism sells ….”
Please see my related comment here: https://www.askwoody.com/forums/topic/security-patches-for-apple-sept-13/#post-2389678
Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).
MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV
I have updated my 2-gen iPhone SE to iOS 14.8 with no apparent problems.
I have updated my Intel-based Kaby Lake 21.5″ iMac4K to Big Sur 11.6 – using it as we speak.
I am in the process of downloading/installing Big Sur 11.6 on my M1 MacMini – don’t anticipate any problems but will report them if I do. Will be using it for Patch Tues later today.
There is a Security Update 2021-005 for MacOS Catalina.
I will install it once Patch Tues rush is over, before updating the Win7/Win8.1/Win10/Win11 Insider VMs running on the Catalina machines. Also will report any problems.
Update: M1 MacMini successfully updated to Big Sur 11.6. Currently in use here.
It does not add much to the WSJ article but here is the Citizen Lab article:
https://citizenlab.ca/2021/09/forcedentry-nso-group-imessage-zero-click-exploit-captured-in-the-wild/
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
