Multiple times this week, I’ve updated mobile devices with security patches from Apple and Google. And every time, the user experience has left me feeling that these companies don’t think I need to know anything about the content of those patches.
On my iPad mini 6 and my Google Pixel 5a, and then later on a review iPhone 11 (I don’t know why Apple PR hasn’t started charging me late fees on that loaner), the notice of a security patch came with a description no more specific than “bug fixes and security updates,” the vague phrasing shown on my tablet.
Each update notice also came with a link that should have provided more details but did not. On the iPad and iPhone (plus the Mac mini on which I’m typing this post), Apple sent me to the same “Apple security updates” page I’ve been visiting for years–“a dusty bookshelf of a page indexing patches going back to Jan. 8, 2020,” as I described it at PCMag. My Android phone’s notification, meanwhile, sent me to a “Pixel Community” page that led off with a “Featured Posts” list of the past few months’ worth of updates for Pixel devices.
So on each device, I had to tap further to see just what was getting patched. In Apple’s case, it was a serious vulnerability in its WebKit browser framework: “Processing maliciously crafted web content may lead to arbitrary code execution.” And somebody was already exploiting this to attack users: “Apple is aware of a report that this issue may have been actively exploited.”
That kind of “zero-day” vulnerability deserves a more direct description, so people will know that it’s worth having their devices unusable during the install process (more than 6 minutes on the iPhone 11) to lower the odds of getting hacked.
Google’s February 2023 patch, meanwhile, revealed itself to include patches for accessibility, audio, Bluetooth, and calendar features, plus security fixes that were not specified in any way until after three more taps of links. Except that the Pixel update bulletin I unearthed itself only listed the vulnerabilities by “CVE” (Common Vulnerabilities and Exposures) numbers that I then had to Google for more details.
The one issue that the Pixel bulletin labeled a “high” risk turned out to be a memory bug that, per the National Institute of Standards and Technology’s vulnerabilies database, could allow “local information disclosure with no additional execution privileges needed.” I read that as an opportunity for a hostile app to snoop on my data and was then relieved to see that NIST did not describe this “vuln” as already being exploited.
I’m not saying that you should hold off on security fixes until you get a detailed breakdown of their code; your safest course is to trust Apple, Google and Microsoft and install their patches as soon as possible, because the developers there spend more time on this than you possibly can. I am saying that it should be basic software manners for these companies to allow their more curious customers to enlighten themselves about these updates as fast as possible. That means in one click, not two, four, or more.
2/13/2020: Update Now: Apple Ships Fixes for Zero-Day Vulnerability in Macs, iPhones, iPads, PCMag
Rob Pegoraro 