Security News > 2022 > October > Updates to Apple’s zero-day update story – iPhone and iPad users read this!

Updates to Apple’s zero-day update story – iPhone and iPad users read this!
2022-10-28 18:04

Why did a single security bulletin describe updates dubbed iOS 16.1 and iPadOS 16? We know that iPadOS 16 was delayed, so did this recent update mean that iPadOS was now getting patched only to the same security level as iOS 16, which came out more than a month ago, while iOS advanced to 16.1, thus leaving iPadOS more than five weeks adrift in cybersecurity terms? Why did iPadOS 16 ultimately report itself as version 16.1? After updating, the About screen apparently says iPadOS 16, like the security bulletin did, while the iPadOS Version screen explicitly says 16.1.

It sounds as though iPhones and iPads now not only both support "The version family known as 16", but also both have the very latest security fixes, so why not simply call both of them version 16.1 everywhere for clarity, including in the security bulletin and on the About screen? Where did macOS 10 Catalina go? Traditionally, Apple drops support for macOS version X-3 when version X comes out, but is that the actual explanation of why macOS 11 Big Sur and macOS 12 Monterey got updates while Catalina didn't? What happened to iOS/iPadOS 15.7.1? When iOS 16 came out in September 2022, the previous version family received critical updates as well, taking it to version 15.7.

We've also seen Apple fail to produce updates for previous versions for two other reasons, either [a] because an update is genuinely needed, but turned out to be too tricky to get ready and test in time, or [b] because the previous version was now considered out of support, and wasn't going to get an update, whether necessary or not.

With Apple security bulletins almost always only telling you about patches that are available right now, missing updates regularly remain an unexplained mystery.

None of them directly clarified the first three questions above, although we now assume that the reason for Apple referring to "iPadOS 16" as well as to "iPadOS 16.1" was a possibly misguided attempt to convey the information that iPadOS was now getting its belated upgrade to version family 16, as well as getting an update equivalent in security fixes to the new iOS 16.1.

TL;DR if you're Apple: a little more clarity would go a long way in security bulletins, especially when you know either that a critical update is the wings for users of earlier versions, or that they won't be needing an update because their version isn't affected.


News URL

https://nakedsecurity.sophos.com/2022/10/28/updates-to-apples-zero-day-update-story-iphone-and-ipad-users-read-this/