Tag Archives: zero-day

Apple and Google could be a lot clearer about their security patches

Posted on by
1

Multiple times this week, I’ve updated mobile devices with security patches from Apple and Google. And every time, the user experience has left me feeling that these companies don’t think I need to know anything about the content of those patches.

On my iPad mini 6 and my Google Pixel 5a, and then later on a review iPhone 11 (I don’t know why Apple PR hasn’t started charging me late fees on that loaner), the notice of a security patch came with a description no more specific than “bug fixes and security updates,” the vague phrasing shown on my tablet.

Photo of Google Pixel 5a and Apple iPhone 11 with each phone open to the respective company's page purporting to describe the update. The phone are seen from above, resting on a brown background.

Each update notice also came with a link that should have provided more details but did not. On the iPad and iPhone (plus the Mac mini on which I’m typing this post), Apple sent me to the same “Apple security updates” page I’ve been visiting for years–“a dusty bookshelf of a page indexing patches going back to Jan. 8, 2020,” as I described it at PCMag. My Android phone’s notification, meanwhile, sent me to a “Pixel Community” page that led off with a “Featured Posts” list of the past few months’ worth of updates for Pixel devices.

So on each device, I had to tap further to see just what was getting patched. In Apple’s case, it was a serious vulnerability in its WebKit browser framework: “Processing maliciously crafted web content may lead to arbitrary code execution.” And somebody was already exploiting this to attack users: “Apple is aware of a report that this issue may have been actively exploited.”

That kind of “zero-day” vulnerability deserves a more direct description, so people will know that it’s worth having their devices unusable during the install process (more than 6 minutes on the iPhone 11) to lower the odds of getting hacked.

Google’s February 2023 patch, meanwhile, revealed itself to include patches for accessibility, audio, Bluetooth, and calendar features, plus security fixes that were not specified in any way until after three more taps of links. Except that the Pixel update bulletin I unearthed itself only listed the vulnerabilities by “CVE” (Common Vulnerabilities and Exposures) numbers that I then had to Google for more details.

The one issue that the Pixel bulletin labeled a “high” risk turned out to be a memory bug that, per the National Institute of Standards and Technology’s vulnerabilies database, could allow “local information disclosure with no additional execution privileges needed.” I read that as an opportunity for a hostile app to snoop on my data and was then relieved to see that NIST did not describe this “vuln” as already being exploited.

I’m not saying that you should hold off on security fixes until you get a detailed breakdown of their code; your safest course is to trust Apple, Google and Microsoft and install their patches as soon as possible, because the developers there spend more time on this than you possibly can. I am saying that it should be basic software manners for these companies to allow their more curious customers to enlighten themselves about these updates as fast as possible. That means in one click, not two, four, or more.

Advertisement

Weekly output: SLS explained, skepticism for Warner Bros. Discovery, wireless carrier cell-site location data retention, security-patch severity, Twitter opens Circle feature, Samsung’s 8K pitch at IFA, electronic eccentricities at IFA

Posted on by
Reply

This week’s trip to Berlin and back to cover the IFA trade show (reminder, with the event organizers covering most of my travel costs) finally allowed me to experience Berlin Brandenburg Airport as a passenger instead of as a zombie-airport tourist. I can’t say I miss Tegel Airport’s weird system of having separate security screenings at every gate.

Fast Company SLS explainer8/29/2022: NASA’s Space Launch System—whenever it comes—will mark the end of an era for U.S. spaceflight, Fast Company

This post needed a quick rewrite before posting to cover Monday’s scrub of the planned Artemis I launch of the SLS. After a second scrub Saturday, this headline remains current. And it appears that I have a renewed opportunity to see this giant rocket fly in person

8/29/2022: Bloomberg Intelligence raises flags about Warner Bros. Discovery, Fierce Video

I wrote this post during last week’s flurry of filling in at my trade-pub client, but it didn’t get published until Monday.

8/29/2022: Here’s How Long Your Wireless Carrier Holds on to Your Location Data, PCMag

I wrote this from a lounge at Dulles Airport before my departure for Berlin, but it helped that I’ve covered this topic before.

8/31/2022: Security patches for your iPhone come all the time. But should you be told which are important?, USA Today

This isn’t the first time a column for USAT started with a tech-support query from a relative.

9/1/2022: Twitter opens Circle to all users, Al Jazeera

The Arabic-language news channel asked if I could cover Twitter’s introduction of this new audience-selection tool. It’s an interesting topic (in part because Twitter has basically reinvented the Circles feature of Google+), but doing this TV hit from IFA required me to find a quiet spot with bandwidth. I found that spot in the landscaped Sommergarten in the middle of the Berlin Messe.

9/2/2022: Samsung Shows Off a Video Unicorn at IFA: A TV Series in 8K, PCMag

The dismal 8K sales stats I reference in the closing paragraphs are really something, and I’m saying that as a longtime skeptic of the 8K value proposition.

9/3/2022: Ovens with eyes, a chameleon of a fridge, and other electronic eccentricities at IFA, Fierce Electronics

I wrote this recap of IFA oddities–a staple of my coverage of the show over the last 10 years–for this sibling publication of Fierce Video.