Many times, when an operating system update is released, especially if it is minor, doubt and laziness arise. Again? But what brings this update? What if it slows me down? What if something happens to it and it doesn’t update well? Is it worth it? These questions and many more cross our minds every time we have that update announced, especially when it is a minor update like version 12.1.3. Many of us end up leaving it and not giving it a thought: error .
Updates to any operating system have something much more important than the new functionalities that the system may incorporate or certain improvements: the correction of security bugs.
A few weeks ago we told you right here how SQLite, the most important database library in mobility and that Apple uses throughout its system, had a series of very important security flaws that could allow an attacker to access our system and gain control of it or access to stored information. Here is the article where we talk about it. Well, this version of iOS 12.1.3 fixes those bugs in the system. And not only that: in total Apple is fixing a total of 31 security bulletins , only in iOS with this version. Serious bugs that could compromise the security of our devices.
The most important thing we need to understand is the concept of a security bulletin and what a security breach is. We’re talking about bugs that absolutely nobody is safe from . No software, no operating system… no one. We are not talking about viruses or trojans as malicious programs that can be detected. We are talking about bugs in the software of our applications or systems, that when exploited could allow an attacker to access the computer .
For example, Natalie Silvanovich of Google Project Zero (a Google security team dedicated to finding security holes in any product or system) detected a bug in the iOS FaceTime app that allowed someone with network access to our iPhone to initiate a FaceTime call by taking advantage of an uncontrolled data overflow and in doing so, take remote control of the device .
At AppleA Google security expert says Apple should pay millions to charity for the bugs it reports
This bug, known as buffer overflow is very common in C, the base language of all technology today. In C, data structures such as a collection or a string, must have a fixed size and previously reserved in memory. But when you send more information than you expect to receive, the language records all that information through the nose in memory, exceeding the reserved memory area. And that causes it to occupy contiguous memory areas that may be used by something else or belong to another process, such as one in the system. Therefore, we would be accessing memory that we shouldn’t and we could take advantage of this circumstance to execute arbitrary code (that is, code that shouldn’t be there and that comes with the data that has caused the overflow). A code that allows us to bypass security and get remote access to the device, for example, which is the bug we have commented on in FaceTime .
To prevent anyone from wanting to recreate this error and take advantage of it, these types of bulletins are normally confidential and only the company concerned and the person who has discovered the error are aware of the details of the error. In the bulletin, only the general description is published and a small glimpse of how it has been corrected. For example, in the aforementioned FaceTime bug, Apple has incorporated a memory usage control so that if a larger than expected data comes in, it will truncate it and thus never go beyond the area it has reserved .
Apple publishes a newsletter with each update that reports on the bugs that have been fixed. But for prevention, the exact content of the bug is not published to prevent it from being exploited by anyone.
Apple has edited a document about the bugs that it corrects explaining each one, bugs that include components such as the CoreAnimation library that allows to make the animations in the system interfaces, of use of Bluetooth, of the Core Media library that allows to reproduce multimedia contents, the keyboard, the Safari page reader, the natural language processing library or the WebKit engine that gives service to the Safari browser, among others.
Update, the way to be sure
Therefore, if we are lazy about whether or not to update, here is a good reason not to think about it . It’s true that many of these vulnerabilities are difficult to exploit and that there will still be many others to patch that have not been discovered, but the more secure we are the better.
AppleiOS 12 further enhances security, no data access via USB after one hour of inactivity
As a side note, this is one of the main problems that Google is trying to solve with manufacturers using their Android operating system . As you have seen, Google takes security very seriously and the work they are doing in this area with Project Zero is invaluable. They were the ones who detected the failures in Intel processors and the rest of manufacturers (Spectre and Meltdown) that came to light a year ago. But unfortunately, the company itself does not get a clear commitment from the manufacturers to publish security bulletins for Android that will guarantee the safety of their users and that is a very serious problem at all levels .
Don’t think about it, don’t doubt it. Upgrade. Your safety is more important than you think.
The more time passes without updating our devices, the more unprotected we are to failures that have been discovered , and if anyone exploits any of these errors, it can cause a remote control problem, data theft, etc… as they say, better to prevent than to cure.