Apple Addresses Critical Security Loopholes Across All Devices Via Latest Firmware Updates

Apple today has rolled out a series of firmware updates for all supported devices under its ecosystem. According to the respective support pages published on the company’s website, these contain security-based fixes for the CoreGraphics and WebKit vulnerabilities that potentially allows for a “zero-click” installation of malicious software onto affected Apple products.

Malware that exploits these vulnerabilities are capable of infecting a device without requiring the victim to do anything, hence the term “zero-click”. One such example of this is the Pegasus hacking platform, a spyware tool developed by an Israeli firm known as the NSO Group.

If both of these names sound familiar, this is because they have been associated with several attacks on platforms including Apple’s iMessage, as well as Facebook’s encryption-based private messaging service WhatsApp. The Pegasus tool is alleged to be capable of committing various privacy breaching acts such as compromising user data and passwords, as well as remote activation of a device’s onboard microphone or camera.

Security researchers at Citizen Lab reports that NSO may have likely been relying on the CoreGraphics loophole – an exploit also first discovered by the research group –  to gain access and install the Pegasus spyware onto a target’s device. Apple credited Citizen Lab for the crucial discovery in the patch notes that are included together with the series of recently released firmware updates.

Meanwhile, Apple notes that this particular WebKit vulnerability addressed in the new update was discovered by an anonymous researcher. Prior to the fix, the exploit is reported to have affected devices under the company’s iOS and macOS Big Sur platforms. For the uninitiated, WebKit is the web browser engine used by various Apple first party applications such as Safari, Mail, and App Store. This isn’t the first time a vulnerability was discovered in the engine, as the company has addressed three other similar issues back in March, May and July of this year.

Apple users are highly advised to update their devices with today’s newly released firmware upgrades. These latest versions include iOS 14.8 for the 7th gen iPod touch and iPhone models from 6s onwards; iPadOS 14.8 for all iPad Pro models, iPad Air 2 onwards, iPad 5th gen onwards, and iPad mini 4 onwards; macOS Big Sur 11.6 for all supported Mac devices; and finally, watchOS 7.6.2 for Apple Watch Series 3 onwards.

Microsoft: No Windows 11 Updates If CPU Does Not Meet Requirements

Over the last couple of weeks, Microsoft has made clear its hardware requirements to run Windows 11, while also reaffirming customers whose PCs don’t meet the standard that it won’t leave them in the lurch just like that, saying they will still be able to install the OS via an ISO.

Now it appears that the company is having a Mr. Hyde moment and telling all who do the latter that there is a catch: while users can install the Windows 11 via ISO, it will withhold the Windows Update feature if it detects that PC’s components are not up to its specifications.

While it is clear that the existence and function of Windows Update will certainly divide the room, one cannot argue that withholding the program means that said PCs will lack the ability to automatically download and install important security updates from the parent company over time. Even if some of us are perfectly content with having the feature disabled and turned off.

At this point, there is really no reason for Microsoft to act this way, especially if Microsoft intends for wider adoption of Windows than what it already has. However, as The Verge puts it, this could just be a “cover-your-ass” measure, aimed at discouraging the masses from thinking that it would offer a warranty or technical support for PCs that fail to meet the requirements.

Mind you, this isn’t Microsoft outrightly saying that its withholding updates for Windows 11 altogether; in theory, users adamant about sticking with systems running on CPUs older than Intel’s 8th generation Coffee Lake or AMD’s 1st generation Zen architecture can still get the update, albeit by manually downloading and installing said updates, on a per release basis.

Ultimately, Microsoft’s “selfish” act of withholding the updates can be viewed from a couple of viewpoints. The first is that the company would rather threaten its customers indirectly, rather than backtrack and make changes to the system requirements for Windows 11. The second? The move is Microsoft’s not-so-subtle way of pressuring PC owners into updating their systems with the latest hardware currently on the market.

Germany Wants Phones To Get Seven Years Of Security Updates

With phones across the price range getting sequels and successors basically every year, it’s easy to think that each generation will be short-lived. That being said, if you’re really careful, you can definitely keep it running for very long, sometimes beyond the last security update that it gets. Germany wants this to change, and it is looking to get phone makers to provide seven years of security updates.

German publication Heise reports that the country’s government has made a proposal to that effect, alongside extended repair support. Not only must phones get security updates for seven years, spare parts for them must also be easily obtainable and at a reasonable price.

The report also mentions an opposing view in the form of DigitalEurope, an industry association that represents brands like Apple, Samsung and Huawei. The association says that security updates should be limited to three years, and software updates at two. Spare parts should also be limited to batteries and displays, as other parts “rarely fail”.

On the face of it, the battery is probably the biggest hurdle in getting a phone to last anywhere near seven years. Add in the fact that many phones come with some sort of water resistance (even if they’re not advertised features), and this makes battery replacement, and maintaining water resistance after that, tricky.

Apple’s App Store Rejected 1 Million New Apps, 1 Million App Updates Last Year

Apple announced in a recent blog post that its App Store rejected or removed almost one million “problematic” new apps and almost one million app updates last year. This comes as Apple defends its famously tight control over its App Store in court and elsewhere.

The reasons for the rejections and removals are apparently diverse. According to Apple, many of these apps weren’t finished or functioning properly, or didn’t have a sufficient mechanism to moderate user-generated content.

But the tech giant also said it rejected over 215,000 of them for various kinds of privacy violations; over 150,000 for being spam, copycats, or misleading to users; and over 48,000 for containing hidden or undocumented features. Additionally, the company boasted that it protected users from over US$1.5 billion (~RM6.2 billion) in potentially fraudulent transactions.

It’s quite clear what Apple is attempting to do – publicly making the case that the conditions it imposes and enforces on developers ensure its App Store is a safe and trusted place for consumers. The company’s critics, on the other hand, would describe this as an oppressive monopoly.

Unsurprisingly, the timing of Apple’s blog post coincides with its high-profile court battle with Epic Games, which is suing the former for its anti-competitive practices. Epic wants to pry open Apple’s “walled garden” so it can bypass the 30% commission Apple slaps on in-app purchases.

“Epic wants us to be Android, but we don’t want to be,” said Apple lawyer Karen Dunn, according to CNBC. The company argues its stringent App Store rules are the reason why the Android system has far worse security statistics.

Google Resumes Updates For Several iOS Apps, Fixes “Out-Of-Date” Bug

December 2020 was the last time Google released any updates for its iOS apps, and its actions are causing issues for users that are on the mobile platform. Users who tried to sign in to their Google accounts were reportedly met with “this app is out of date” notices, specifically with Gmail, Google Maps, and Google Photos. To name a few.

The good news is that Google seems to have apparently resolved the issue, rolling out the appropriate updates as a solution. As to the cause of the sign-in error, Google says that it was due to a bug.

The rollout can also be seen as Google staying true to its word, that it would start including Apple’s new mandatory app privacy labels with every app update. That said, there are still other Google-based iOS apps that have yet to receive an update. Case in point, the search engine’s Chrome app still remains unpatched and could spell disaster, from a security standpoint, if it continues to be left as such.