Security News

In brief Apple has patched an iOS and iPad OS vulnerability that's already been exploited. Apple issued patches for iOS 16.1 and iPad OS 16, to address this and 19 other vulnerabilities.

Why did a single security bulletin describe updates dubbed iOS 16.1 and iPadOS 16? We know that iPadOS 16 was delayed, so did this recent update mean that iPadOS was now getting patched only to the same security level as iOS 16, which came out more than a month ago, while iOS advanced to 16.1, thus leaving iPadOS more than five weeks adrift in cybersecurity terms? Why did iPadOS 16 ultimately report itself as version 16.1? After updating, the About screen apparently says iPadOS 16, like the security bulletin did, while the iPadOS Version screen explicitly says 16.1. It sounds as though iPhones and iPads now not only both support "The version family known as 16", but also both have the very latest security fixes, so why not simply call both of them version 16.1 everywhere for clarity, including in the security bulletin and on the About screen? Where did macOS 10 Catalina go? Traditionally, Apple drops support for macOS version X-3 when version X comes out, but is that the actual explanation of why macOS 11 Big Sur and macOS 12 Monterey got updates while Catalina didn't? What happened to iOS/iPadOS 15.7.1? When iOS 16 came out in September 2022, the previous version family received critical updates as well, taking it to version 15.7.

Apple has released new security updates to backport patches released earlier this week to older iPhones and iPads, addressing an actively exploited zero-day bug. Apple addressed the zero-day vulnerability in iOS 15.7.1 and iPadOS 15.7.1 today with improved bounds checking.

The "Clear-and-present danger" prize goes to iOS and iPadOS, which get updated to version 16.1 and 16 respectively, where one of the listed security vulnerabilites allows kernel code execution from any app, and is already actively being exploited. As you might have assumed, given that the release of Ventura takes macOS to version 13, three-versions-ago macOS 10 Catalina doesn't appear in the list this time.

In security updates released on Monday, Apple has fixed the ninth zero-day vulnerability used in attacks against iPhones since the start of the year. As Apple explains, if successfully exploited in attacks, this zero-day could have been used by potential attackers to execute arbitrary code with kernel privileges.

Our much-loved iPhone 6+, now nearly eight years old but in pristine, as-new condition until a recent UDI, hasn't received any security updates from Apple for almost a year. The last update we received was back on 2021-09-23, when we updated to iOS 12.5.5.

Apple on Wednesday announced it plans to introduce an enhanced security setting called Lockdown Mode in iOS 16, iPadOS 16, and macOS Ventura to safeguard high-risk users against "Highly targeted cyberattacks." Lockdown Mode, when enabled, "Hardens device defenses and strictly limits certain functionalities, sharply reducing the attack surface that potentially could be exploited by highly targeted mercenary spyware," Apple said in a statement.

How to lock an iPad or iPhone into Single App Mode with Guided Access. Does your organization utilize iPad apps for kiosk-style uses, or have you ever needed to hand a device to someone else to use an app or enter information, but didn't want to give away access to everything that's on the device? Apple has a solution for these scenarios built into iOS and iPadOS called Guided Access.

Apple on Thursday rolled out emergency patches to address two zero-day flaws in its mobile and desktop operating systems that it said may have been exploited in the wild. Both the vulnerabilities have been reported to Apple anonymously.

Here on Naked Security, we've been lamenting the mysterious nature of Apple's security updates for ages. In the sudo bug case, Apple did eventually come to the party, and updated its own products in September.