You think we’ve got it bad with Windows? How ’bout them, er, Apples?

Topic

New Reply

On Friday we saw iOS 13.1.1. Today we get iOS 13.1.2: iOS 13.1.2 includes bug fixes and improvements for your iPhone. This update: Fixes a bug where t
[See the full post at: You think we’ve got it bad with Windows? How ’bout them, er, Apples?]

4 users thanked author for this post.

Myst, OscarCP, G, GreatAndPowerfulTech

Reply | Quote

Replies

Right.  Everybody knows Apple’s voluntary updates are just as bad as Windows’ forced updates.

Reply | Quote

It’s not unusual for apple to offer point releases after a new iOS version soon after, this has happened for years since 2007. Although, the fact that the version is number is somewhat superstitious to some, I’d say is a bigger concern 🙂

Windows - commercial by definition and now function...

1 user thanked author for this post.

Myst

Reply | Quote

Microfix wrote:

Although, the fact that the version is number is somewhat superstitious to some, I’d say is a bigger concern

Au contraire O’Hare. 13 is the symbol of totality, completion and attainment. We might get lucky and eventually be bug free by the end of the year.

MacOS iPadOS and sometimes SOS

Reply | Quote

at least you Apple’s updates are less likely to fail unlike Window’s patches.

Just someone who don't want Windows to mess with its computer.

Reply | Quote

At least they’re numbered so you can unKB4517211der18362.387stand them.

Oh, hogwash.

Apple just published “macOS Mojave 10.14.6 Supplemental Update 2” today, which is published under support article HT210589.  The build number of this update is 18G103.

That’s three distinct pieces of information.  Not much different than Windows 10 version 1903, OS build 18362.367, published in KB4517211, right?

Apple has its own unique foibles, too.  They don’t bump the OS version number unless they have something positive to advertise about it. They should have called this “10.14.8”, not “10.14.6 Supplemental Update 2”.

Worse still, the term “Supplemental Update 2” doesn’t actually appear anywhere in macOS’s “About This Mac” screen after you’ve installed it.  It still just says “10.14.6”.  You have to dig into About This Mac -> System Report -> Software and see the system version there…. and you have to know that 18G103, not 18G95, is the correct build number.

And then there’s the phrase “Supplemental Update” itself.  This is euphemistic language. It’s just a security update, but Apple doesn’t like to draw attention to the fact that their operating system has security vulnerabilities.  The word supplemental makes it sound like they’re giving you a little something extra.

Oh yeah, and it’s a 1.25 GB update to fix input validation a single function call.

 

1 user thanked author for this post.

b

Reply | Quote

Thanks for starting this blog with all the detailed information in the Home page.

It comes to me as both a (slight) surprise and a relief to learn that none of the issues listed there applies to me, a proud owner of a MacBook Pro, Retina 15″ laptop. I do not use iCloud, or have an Apple phone, or any other Apple gadget, besides my really nice laptop.

I installed the latest security updates both to Mojave (the current OS) and to Safari (the Apple browser that came installed with the Mac and that I have never used after giving it a first trial) on the weekend, and everything is running just fine, so far, at least that I have been able to check. It is not physically impossible, but, somehow, I do not think there will be a patch to this patch in another week or so. It takes time to get used to this situation, after being for so long with Windows as (most of the time) my only OS, but I am managing to make my way gradually towards such end. No Support Group seems necessary, so far.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

With one HUGE difference: none of the found bugs in iOS lead to crashes or have a deep impact on the functioning of the devices it’s running on. It’s mainly about ‘collateral damage’, nothing to worry about too much. Also: the installing of the updates is a straightforward process with little or no risk involved.

Reply | Quote

[warrenrumak]

Hey anonymous, just because you’ve forgotten iOS’s many problems, doesn’t mean they didn’t happen!

I mean, consider what happened in the space of eight months in 2016:

iOS 10.0.0 bricked iPads and iPhones left and right, necessitating the release of 10.0.1 shortly afterwards — with 10.0.2 following a few days later to fix more bugs.

This came just a few months after iOS 9.3.2, which broke a lot of iPad Pros.  They had to pull that release (which itself fixed a security vulnerability), fix it, then release it again.

This came two months after iOS 9.3.0, which also caused older iPhones and iPads to become non-functional, unless you restored them using iTunes.  Apple had to pull 9.3.0 for a while to fix it.

And that was a couple months after iOS 9.2.1, which also had to be pulled, fixed, and re-released due to the update killing phones that had previously been fixed by third-party repair shops.

This stuff was all widely documented on Mac news sites at the time.

• This reply was modified 5 years, 7 months ago by warrenrumak.

1 user thanked author for this post.

b

Reply | Quote

…listing an event 3 years ago that hasn’t recurred in iOS update patterns since?…

not an Apple fanboy, but it’s a matter of “less bad than the Android mess and definitely much less bad than Windows…”

iOS 12.4.1 on 5s

anyone putting the new iOS on any iPhone within a month of release is a fool.

anyone putting a revision to an iOS on their phone within two weeks of release is a slightly lower grade fool.

I worked for an AASP and am certified on all the hardware through 2017.

Hey look! Another Feature Update!

You mean I shouldn't click Check for Updates?

Where is the Any key?

Reply | Quote

At least, Apple’s updates are not forced, and it is not difficult to avoid them for as long as possible if you want to, unlike Windows 10. Apple provides GUI functions to completely disable automatic updates on both MacOS and iOS.

I have never had a problem with iOS updates on my devices (iPhones and iPads), but then I have not installed iOS 13.x yet. But I won’t ever say that because I don’t have a problem with iOS, that other people with iOS devices won’t have problems.

From past experiences, every time a major update of iOS is released, there will be problems associated with old and new devices. So I have adopted the policy of not installing the new iOS until the dust settles down, which may be weeks or even months. Same with new MacOS versions. In the case of MacOS, I usually postpone the new version right until almost the next version is ready to be released until I install it. MacOS Catalina 10.15 will be released soon, and I only just installed MacOS Mojave 10.14.6 a few weeks ago.

I would take Windows 7 / Windows 8.1 / MacOS / iOS over Windows 10 any day.

Hope for the best. Prepare for the worst.

1 user thanked author for this post.

Myst

Reply | Quote

The problem with turning off automatic updates on iOS and macOS, or putting off updates for a significant amount of time, is that you end up being completely and fully exposed to remote attacks without any interaction on your part.

If you aren’t running 12.4, all someone has to do is send you an iMessage, an SMS, a voicemail, or an email, and they can take complete control over your phone.

And if you aren’t using the 10.14.6 Supplemental Updates, then the iMessage vulnerabilities extend to your Mac as well.

Google has documented it all here: https://googleprojectzero.blogspot.com/2019/08/the-fully-remote-attack-surface-of.html

 

Reply | Quote

I do not install anything automatically in my Mac and do not receive  SMS, iMessage or voicemail communications. Email yes, of course. But I trash without opening (or the system does that for me), anything not coming from a trusted source. Is there a risk in that? May not an email be coming from the computer of a trusted source unknowingly infected with a worm that manages to squeeze past the active defenses I have put in its way? Yes, yes, of course. But the risk, given the nature of those sources, is quite low in my case.

And I use the firewall to protect the system, plus give it a scan with the AV twice a day: once after I finish my regular, daily round of browsing looking for the latest weather report, news, etc., and again before signing off at the end of the current session.

Not everybody can be as selective of incoming messages as it is possible for me to be. So warrenrumak’s #1970210  advice is attendible, although the things this advice is against doing are not really different from turning off the default to install updates automatically, prolonging the manual installation of Windows updates while waiting for the Defcon to move to something higher than two (but without the benefit a Defcon for macOS…)

Also  about the lack of an equivalent to the Defcon for Macs, at least when it comes to macOS (the one for laptops and desktops). I would very much hope that at least some of Woody’s resident Mac gurus will sound the alarm if some aggressively intrusive malware affecting Macs has been found to be going around “in the Wild”. Not to mention what people will write about this in the main sites dedicated to Mac issues, as well as in those dedicated to computer security in general. It is up to us, the users to avail ourselves of those sources of information to get early warnings of impending unpatched doom if nothing is done to avoid it. And then act as advised, to avoid such fate.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

warrenrumak wrote:

If you aren’t running 12.4, all someone has to do is send you an iMessage, an SMS, a voicemail, or an email, and they can take complete control over your phone.

With respect, neither the Google blog you quoted nor any of the CVE reports mentioned (I went through them all) back up your statement.

The blog says quite clearly that the Project Zero researchers found 10 vulnerabilities *overall* in SMS, MMS, VVM, iMessage and the native email client (most in iMessage) but these allowed crashes (e.g. CVE-2019-8613) and memory corruption, not the ‘complete control’ that you assert.

The blog says specifically that the main researcher – Natalie Silvanovich –  was unable to find any vulnerabilities with either SMS or MMS.

Similarly, of the native iOS email client she also wrote:

I found this vulnerability in version 11.3.1 of iOS, but it was clearly unexploitable in iOS 12 due to changes…

The blog also says specifically:

The majority of vulnerabilities occurred in iMessage due to its broad and difficult to enumerate attack surface. Most of this attack surface is not part of normal use, and does not have any benefit to users.

For example, there was a bug in an iMessage ‘Digital Touch’ extension (that wasn’t fixed until July 22, 1019 – CVE-2019-8624) but the researcher states:

This issue is very likely not exploitable…

Not *one* single mention is made of an actual accomplishable exploit found that would allow ‘complete control over your phone’… not one.

The closest was CVE-2019-8641… which the researcher thought was ‘likely exploitable’ (great research, i.e. she took a guess). Or another – CVE-2019-8660 – which the researcher describes as “This issue would likely be fairly difficult to exploit“, i.e. she couldn’t/didn’t.

The Google Project Zero researcher does not make it clear what version of iOS she bases her concluding paragraph on (why not?) but given the dates the vulnerabilities were reported (e.g. March 9, 2019) and fixed (e.g. May 14, 2019) it’s likely this was a mixture. For example, the Visual VoiceMail bug (not a ‘complete control’ exploit) CVE-2019-8613 appears to have been fixed in iOS with release 12.3 (release date May 13, 2019).

I note her conclusion includes:

We reported a total of 10 vulnerabilities, all of which have since been fixed.

They were vulnerabilities… bugs, not ‘in the wild’ exploits allowing ‘complete control’ of an iPhone. As a result I’m afraid that I disagree completely with your harbinger of doom message.

(Note: Happily running iOS 13.1.2 on my iPhone 6S… it appears faster than 12.4.1 that I was using.)

5 users thanked author for this post.

AlexEiffel, Bill C., OscarCP, Myst, jayinalaska

Reply | Quote

[James Bond 007]

Even if some of what you said is true (which I doubt very much due to Rick Corbett’s reply), I don’t think I need to worry.

If you aren’t running 12.4, all someone has to do is send you an iMessage, an SMS, a voicemail, or an email, and they can take complete control over your phone.

I am already running iOS 12.4.1 or 12.4.2 on all my iOS devices. I am putting off installing iOS 13 for the time being, preferring to wait until I am satisfied.

And if you aren’t using the 10.14.6 Supplemental Updates, then the iMessage vulnerabilities extend to your Mac as well.

I have already installed the Supplemental Update. I won’t move to Catalina any time soon, not until mid-2020 at the earliest.

So I thank you for your concern, but I won’t lose any sleep over this. I much prefer to install any such updates manually and at a time I decide, be it MacOS / iOS / Windows. No automatic or forced updates for me.

Hope for the best. Prepare for the worst.

• This reply was modified 5 years, 7 months ago by James Bond 007. Reason: Correction

3 users thanked author for this post.

Myst, Bill C., OscarCP

Reply | Quote