By: Christopher A. Iacono , Mary Kate McDevitt
Takeaway: The recent vulnerabilities in Apple software has exemplified the importance of patch management and keeping devices up to date with the latest operating systems and software in order to protect the security of devices.
The recent data breach reported by Apple, Inc. (“Apple”) has once again brought global attention to privacy threats caused by security flaws and vulnerabilities.[1] On Wednesday, August 17, 2022 Apple released two emergency updates in response to zero day threat, or an attack that targets a previously unknown security vulnerability. The updates affected the following products: “iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)” as well as Safari and Mac computers running macOS Monterey.[2] Given that there are over 1.5 billion active Apple products in use worldwide, the vulnerability had potentially significant reach.[3]
The vulnerabilities have the following CVE-IDs: CVE-2022-32893 and CVE-2022-32894. The aim of the Common Vulnerabilities and Exposures (CVE) program is to “identify, define, and catalog publicly disclosed cybersecurity vulnerabilities.”[4] Publishing consistent descriptions of security vulnerabilities allows organizations around the world to coordinate their efforts to prioritize and respond to the vulnerabilities, which maintains the integrity of devices and systems.[5] CVE is sponsored by the U.S. Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA).
Apple described the security updates as an “out-of-bounds write issue was addressed with improved bounds checking.”[6] This means that the attacker could write data before the beginning or after the end of the intended buffer which can cause a crash, corruption of data, or code execution.[7] The issue was addressed by procedures meant to catch errors and protect the integrity of operations by ensuring that certain variables are within the bounds of an array before use.
The security updates indicated that the issue may have been actively exploited. This terminology heightens the risk of threat because it means that Apple was notified that individuals or groups were attempting to use the flaw in order to conduct an attack. The updates also noted that the bug in Safari WebKit could allow attackers to gain full control of the device, which is a particularly serious threat.
Based on the activity of cyber criminals in 2021, cybersecurity authorities in the United States, Australia, and the United Kingdom released a report identifying the threats and trends of cyber-attacks in February 2022.[8] Part of this report included an observation from CISA and the Federal Bureau of Investigation (FBI) that certain subsets of attackers were “shifting away from ‘big-game’ hunting in the United States,” meaning “perceived high-value organizations and/or those that provide critical services.” The CISA report also specified that cyberattacks have increased their impact by targeting cloud service providers, such as Apple.
The CISA report emphasized the importance of patch management and keeping operating systems and software up to date in order to mitigate the impact of cybersecurity incidents. In support of this notion, the report advises “[t]imely patching” as “one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats.” Further, the report instructs to “[r]egularly check for software updates and end of life (EOL) notifications, and prioritize patching known exploited vulnerabilities.”
[1] https://www.cisa.gov/uscert/ncas/current-activity/2022/08/18/apple-releases-security-updates-multiple-products
[2] https://support.apple.com/en-us/HT213412
[3] https://www.bnnbloomberg.ca/apple-nears-two-billionth-iphone-sale-13-years-after-launch-1.1371339
[4] https://www.cve.org/About/Overview
[5] Id.
[6] https://support.apple.com/en-us/HT213412
[7]https://cwe.mitre.org/data/definitions/787.html#:~:text=The%20software%20writes%20data%20past,beginning%2C%20of%20the%20intended%20buffer.&text=Typically%2C%20this%20can%20result%20in,a%20crash%2C%20or%20code%20execution.
[8] https://www.cisa.gov/uscert/ncas/alerts/aa22-040a
* This blog is available for informational purposes only and is not considered legal advice on any subject matter. By viewing blog posts, the reader understands there is no attorney-client relationship between the reader and the blog publisher. The blog should not be used as a substitute for legal advice from a licensed professional attorney. Readers are urged to consult their own legal counsel or reach out to any of Pietragallo’s attorneys on any legal questions concerning a specific situation.