Apple’s latest tranche of security updates is out.
The complete list is covered by six Apple Security Advisories:
- SA-2016-05-16-1: Apple tvOS 9.2.1
- SA-2016-05-16-2: Apple iOS 9.3.2
- SA-2016-05-16-3: Apple watchOS 2.2.1
- SA-2016-05-16-4: OS X 10.11.5 (and Security Update 2016-003)
- SA-2016-05-16-5: Safari 9.1.1
- SA-2016-05-16-6: Apple iTunes 12.4
As usual, the principal OS X update applies to the current flavour of the operating system, El Capitan (OS 10.11), with a separate security update to patch the two versions before that, Mavericks (10.9.5) and Yosemite (10.10.5).
Users of OS X 10.8 and earlier are out of luck: those versions are in the same boat as Windows XP when it comes to security – unsupported and unpatched.
Unlike Microsoft, which has truly disowned the unsupported XP, Apple will still let you buy OS X 10.8 (Mountain Lion) and even the almost-seven-year-old OS X 10.6 (Snow Leopard), back from when OS X versions were named after cats rather than dramatic extreme sports locations. The give-us-your-money-but-don’t-expect-any-updates versions are £14.99 via Apple’s UK website the UK, delivered as a physical package; you can even choose to have them gift-wrapped for free.
The Safari patch arrives along with the El Capitan 10.11.5 download; on earlier versions of OS X you’ll need to update it separately.
A wide range of security holes was patched in this round of updates, including:
- A way for an ordinary application to acquire kernel-level powers. This allows a user-level program to sidestep the “Type your password to allow this” security pop-up, and secretly to elevate its own privilege.
- A way for apps work out exact memory locations used by the kernel. This can help crooks to bypass address randomisation, a security measure that makes it harder to guess how to hack into a system.
- A way for regular apps to read kernel memory. This is never good, because the kernel holds privileged data that normal users aren’t supposed to see.
- A way for content in a booby-trapped web page to run program code without any warnings. Remote Code Execution of this sort, commonly used in drive-by malware installs, can be combined with an elevation of privilege attack to take over the whole computer in one go.
In short, these updates include critical fixes that we advise you to install as soon as you can.
We grabbed iOS 9.3.2, OS X 10.11.5 (with the included update to Safari 9.1.1), and iTunes 12.4 as soon as Apple’s notifications came through.
So far, so good.
Some people are very publicly complaining, however, taking to Twitter to claim that iOS 9.3.2 has bricked their iPad Pro devices.
The usual way to update an iDevice is what’s known as OTA, short for Over The Air, where you let your current version of iOS download the bits it needs to complete the update and then apply the needed changes.
This is usually a lot more efficient that downloading a complete firmware image, because you don’t need to fetch parts that haven’t changed. (Our update, from 9.3.1, was an 89MB download, a tiny fraction of the full firmware’s 2.08GB.)
Nevertheless, there’s always that worrying moment when you know your old iOS version is about to shut itself down and the stitched-together new version is supposed to boot up in its place…
…and at least some iPad Pro users seem to have got stuck right there.
That leaves you with a dilemma: try to find a way to get the new version to boot up like it was supposed to, or cut your losses, and restore your device using iTunes over a reassuringly visible, physically connected, USB cable.
A full firmware reinstall is a refreshing experience if you do it once in a while, because you can be sure it removes all the detritus of the past, but that’s because it really does remove everything, including your apps, your data and your configuration settings.
Unfortunately, some iPad Pro users claim to be experiencing updating errors even after they’ve used iTunes to try to correct a failed OTA update, thus the claims of “bricking” their devices.
A device is said to be bricked if it can’t be made to reboot again due to a botched update that prevents all future updates: it makes your expensive device no more useful than a brick. (In the early days, mobile phones were about the size of a brick, thus the metaphor.)
What to do?
What isn’t it clear is whether the affected devices really are bricked permanently – unrecoverably useless, in other words – or whether they can be recovered by a complete, locally-sourced wipe-and-restore.
A local restore is a non-default way of using iTunes where you download the entire firmware image first, all 2GB or so of it, so that you can verify that you have the whole file correctly downloaded up front, and aren’t at the whim of your network connection while iTunes is busy.
You then manually put your iDevice into DFU Mode (short for Device Firmware Update) with a special power-up key sequence, and hold down the Option key (Shift on Windows) before choosing the [Restore] option in iTunes.
That enables a hidden feature in iTiunes that allows you to choose a local file for your firmware update, rather than acquiring the update via the internet.
There are no guarantees, of course, but it does remove one variable from the update process: your network.
We’re not going to give more instructions than that (try your favourite search engine), but do make sure that you download the right firmware image, which will be unique to your device, and which should have the extension .ipfw (short for iPod/iPad/iPhone firmware).
See if that helps.
If all else fails, you may have to throw yourself on the mercy of an Apple Store, if you have one in your area.
LEARN MORE: UNDERSTANDING VULNERABILITIES