Another day another harass your iPhone and Mac that an update is ready. And Chrome. And for Microsoft, it’s Patch Tuesday, so it’s another round of installs on your plate. As tempting as it may be to throw them out on the road—why not just wait iOS 15 in a few weeks? —You’ll want to go ahead and do them.
Yes, this is standard advice; you should of course keep your software as up to date as possible. You could even enable automatic updates for everything and skip manual maintenance. But if you haven’t already, today is a particularly good day to be in the know, as Apple, Google, and Microsoft have all implemented security patches in the past two days for vulnerabilities that hackers are actively exploiting. It’s a day zero patches extravaganza, and you don’t want to ignore your invitation.
Update your iPhone, Mac, and Apple Watch
The group’s biggest track was the exploit chain known as ForcedEntry. Apparently linked to notorious spyware broker NSO Group, the attack first came to light in August, when the University of Toronto’s Citizen Lab revealed it had found evidence of Zero click attacks, which do not require any interaction on the part of the target to gain a foothold, being deployed against human rights activists. Amnesty International find similar forensic traces of malware from the NSO Group in July.
You might be rightly wondering: if these attacks were reported a few weeks ago, and the attack has been active since at least February, why is a fix only available now? The answer seems at least in part to be that Apple was working with incomplete information until September 7, when Citizen Lab discovered more details about the ForcedEntry exploit over the phone from an activist in Saudi Arabia. They found that not only did ForcedEntry target Apple’s image rendering library, it affected macOS and watchOS in addition to iOS. On September 13, Apple pushed fixes for all three.
“We would like to commend Citizen Lab for doing the very difficult job of getting a sample of this exploit so that we can develop this fix quickly,” said Ivan Krstić, Head of Security and Engineering at Apple, in a statement. “Attacks like the ones described are very sophisticated, cost millions of dollars to develop, often have a short lifespan, and are used to target specific individuals. While this means that they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all of our customers, and we are constantly adding new protections for their devices and data.
It is not just a simple rotation; It is true that only a very small number of Apple customers are at risk of seeing NSO Group malware land on their phones. A rule of thumb: If there’s a reason an authoritarian government might want to read your texts, you might be in danger. So definitely patch right now if that’s you, but also know that the next million dollar feat is still around the corner.
Even if you’re not a dissident, it’s helpful to pass this update on. Now that some details are known, it is possible that less savvy crooks are trying to tackle this same weakness. And again, it’s good hygiene to keep your software as up to date as possible.
Keeping your iOS, macOS, and watchOS software up to date is thankfully pretty straightforward. On your iPhone or iPad, go to Settings> General> Software update. Faucet Download and install to get iOS 14.8 on your device, and while you’re at it, turn on automatic downloads and installations. Just note that automated updates will only happen if your phone is charged and connected to Wi-Fi overnight. You can also update Apple Watch from your iPhone; Head to the Watch app, tap the My watch tab, then General> Software update. From the watch itself, tap Settings> General> Software update. For macOS, go to the Apple menu, then click System Preferences> Update Now.
Sorry, Microsoft fans, you’re hooked too. A week ago, the company revealed that a zero-day vulnerability in Windows is being actively exploited. Rather than to state actors to which NGO Group sells its exploits, the flaw in MSHTML, the rendering engine used by Internet Explorer and Microsoft Office, is circulating among cybercriminals.
“Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially crafted Microsoft Office documents,” the company said in a security bulletin last week. If you open a corrupted Office file, a hacker could gain access to execute commands on your machine remotely. And while Microsoft first detailed some ways to prevent a successful attack even without a patch, security researchers quickly understood how to beat these workarounds. Not only that, but as a Bleeping Computer security news site reported This week, hackers actively shared details on forums about how to exploit the vulnerability for days before the patch was released.
It’s a good day to update all your devices. Trust us
Source link It’s a good day to update all your devices. Trust us