Atlantico: The May was a busy time for security updates, with Google’s Chrome browser and Apple’s Android and iOS operating system releasing patches to fix serious vulnerabilities. Microsoft, Cisco, Nvidia, and Zoom have also released fixes for pressing flaws. What were the major updates for Apple and iOS? Why did they intervene?
Thierry Berthier: The 34 security updates released on May 16 by Apple are for iOS 15.5 and iPadOS 15.5. Some of them apply to the kernel of the operating system and are priority or critical. This set includes, for example, the Apple AVD vulnerability CVE-2022-26702 and its corrective patch which declares that a application may be able to execute arbitrary code with kernel privileges. The CVE-2022-26751 AppleGraphicsControl vulnerability, meanwhile, shows that processing a maliciously crafted image can lead to the execution of arbitrary code and a memory corruption issue has been addressed through improved validation. entrances. Vulnerabilities affecting GPU drivers, Kernel, DriverKit, IOKit, ImageIO, AVEVideoEncoder are particularly critical since they allow an application to execute arbitrary code with kernel privileges. In other words, an attacker could exploit these security flaws to break into the system, elevate its privileges and take control of it with the objective of stealing data and/or demanding a ransom after the encryption of this data. (Ransomware). The CVE-2022-26731 Safari Private Browsing Vulnerability shows that a malicious website may be able to track users in Safari Private Browsing mode and the issue has been addressed through improved state management. In each case, these are critical vulnerabilities that compromise the security of the machine. It is therefore essential to carry out the recommended security updates without delay. These security announcements are obviously heavily followed by cybercriminal groups who can exploit them on unpatched systems.
Read also
Watch out for your smartphones, cases of hacking are more and more frequent
Given the problems fixed by the latest updates in May-early June, how important is it that these be done quickly?
At the very moment of their publication, these vulnerabilities are all potential keys to opening doors in a system and building targeted or opportunistic attacks. A race against time is engaged in which the losers are always the latecomers who have not made their updates and corrective patches. From a purely systemic point of view, negligence is the first vector of risk: sometimes, we refuse or delay updates due to lack of time, availability or fatigue and we instantly offer new attack surfaces to attackers. and malicious actors. This default negligence affects every user at one time or another. The “human factor” is generally the weak link in the security chain. Our cognitive biases, our level of fatigue, awareness or availability, associated with security flaws and system vulnerabilities, the motivation and professionalism of cybercriminal groups, promote and produce cyber risk. Security updates, the choice of robust passwords, the default distrust in opening attached files or dubious emails must become digital hygiene automatisms.
What are the risks for a device without an update? Is the risk the same according to the operating systems?
All operating systems are affected by vulnerabilities and security updates, including Linux and mobile OS like Android. Each system offers a specific attack surface with specific security vulnerabilities. We must distinguish between risk and impact. An outdated machine may present a high risk of ransomware takeover or destruction but with low or limited impact to a single user and their personal activities. When a smartphone is connected to a company’s information system, the impact can become enormous for the organization. It all depends on the scope of use of the system and its level of connectivity with other services. A non-updated computer, tablet or smartphone is by default a vulnerable system that can be exploited by attackers who apply the principle of simplicity or Ockham’s parsimony (or Ockham’s razor). Attackers optimize their efforts. They are generally opportunistic and primarily target the most vulnerable systems, that is to say the easiest to “type”. However, when it comes to a high-level, stealthy, sophisticated targeted attack, Ockham’s principle can be contradicted given the stakes of the attack and the expected gains. The attacker will then choose the method with the best chance of succeeding without leaving a trace, but not necessarily the easiest to implement. In any case, unpatched systems are opportunities to be seized!
Read also
These are the techniques most used by online scammers and other hackers
Does the current environment of increasing cyberattacks make updates more important than ever?
Definitely. The level of cyber risk is constantly growing for all organizations, companies, SMEs, large groups, but also for individuals. Companies generally have an IT department and sometimes a CIO (Security Director) responsible for the structure’s security strategy. Doctrines and protocols for updating, regular backups of data and protection of the information system constitute the company’s security base. Very small businesses, SMEs, businesses, local authorities are prime targets. Some have taken cyber risk into account, others less so. Risk contexts are those where employees use and connect their personal tablets or smartphones to their company’s system, in the context of remote work, videoconferencing or collaborative work. If this personal machine has security vulnerabilities, it endangers the entire system. Hyperconnectivity makes work easier while increasing attack surfaces and cyber risk. Systematic updates are therefore essential to reduce this risk.
Read also
Red alert for French companies? Anonymous and other cyber hackers threaten massive retaliation against companies that continue to operate in Russia
We wish to thank the writer of this post for this incredible material
