Apple’s latest security updates for Mac and iPhone users are out.
As it happens, we’ve written about two BWAINs recently. (A BWAIN is a bug with an impressive name, wittily or provocatively titled for PR purposes by the researchers who discovered it.)
For Apple users, it’s one BWAIN down, one BWAIN to go after this latest round of patches.
The first BWAIN of July 2017 was BroadPwn, a potential way to break into a mobile device by triggering a bug in its Wi-Fi hardware.
Simply put, a proximate attacker, to borrow Google’s curious jargon phrase for “someone in wireless range”, could fire booby-trapped network packets at your Wi-Fi card and thereby infect your wireless firmware with malware.
Even if the infected firmware couldn’t help attackers work their way into the operating system and the apps on the device itself, a hacked Wi-Fi card is a worrying thought.
If a crook had complete control over your wireless hardware, then going online via Wi-Fi would be like connecting via the dodgiest access point you could imagine, at the most dubious coffee shop you could think of, all the time.
Google patched its own Android devices about three weeks ago, which is when BroadPwn was announced; Apple followed suit for iPhone and iOS users with this week’s update to iOS 10.3.3.
Apple laptops with Broadcom wireless chips were also at risk from the BroadPwn attack; Mac users received the same fix in the update to macOS 10.12.6.
The second BWAIN of the past month was Orpheus’ Lyre, which we’ve been calling OL for short (to avoid that pesky apostrophe), whereby a crook inside your network might – admittedly with some difficulty – trick unpatched users into going to the wrong server by exploiting a bug in the network authentication protocol Kerberos.
It doesn’t look as though Apple was able to patch OL in time for the iOS 10.3.3 and macOS 10.12.6 updates, but that’s not surprising given that OL was only made public this week, after Microsoft published its patch for the hole.
The discoverers of OL haven’t explicitly said whether Apple’s operating systems are vulnerable or not, though we suspect they are. Because Apple generally doesn’t comment on security holes and fixes until the patches are published, we can’t yet tell what to expect from Apple’s side.
As usual, of course, Apple’s updates includes dozens of patches that were for bugs that didn’t have impressive names, many of which we consider much more serious than OL.
Thes critical bugs that were fixed included several kernel vulnerabilities in both macOS and iOS that has opened up remote code execution (RCE) holes.
RCE generally means that an outsider can trick your computer into running malware without waiting for you to initiate a download or to click through to launch a file – so that you don’t see any sort of warning that might let you head off the attack.
Worse still, an RCE at kernel level pretty much means that attackers can take over your whole device, given that the kernel is the heart of the operating system, and is itself responsible for enforcing the security of, and the separation between, different apps.
In other words, as we never tire of saying, “Patch early, patch often.”
If it’s any comfort, we applied the macOS and iOS updates within two minutes of receiving Apple’s official notification emails, with no ill-effects whatsoever.
To check that you’re up to date, or to fire off an update if you aren’t: on an iPhone, go to
Software Update; on a Mac, use
Apple icon |
About This Mac |