Three days ago Apple released an iOS 9.2.1 update with seemingly arbitrary ‘security updates and bug fixes’ listed in the release notes. As we’ve seen time and time again with these type of software updates, most often these small updates seem to go ignored by the general public. We stress how important it is to keep your device up to date, even with small security updates like this.
As is customary after Apple releases a security update version of iOS, the firms and people that discovered the vulnerabilities are coming out explaining how and why these security updates matter. Apple has already included a breakdown of what security issues were resolved in iOS 9.2.1, but it’s still nice to get a further detailed look into what made the vulnerabilities possible in the first place.
The security issue (CVE-2016-1730) was reported back in June of 2013, but SkyCure notes that it was a more complicated issue to fix than one would imagine. SkyCure’s discovery relates to the way iOS handles cookies when connecting to a malicious captive-enabled Wi-Fi network. You may have seen these types of networks if you’ve ever connected to a hotel, airport or Starbucks network.
On Thursday, security researchers at Zimperium zLabs had also released a report analyzing how their vulnerability (CVE-2016-1722) was discovered. This vulnerability appears to have taken less than two months to resolve. Zimperium’s discovery revolved around a heap buffer overflow in syslogd that would allow an attacker to have elevated privileges or even perform remote code execution (although this would require the device to be on an already trusted Wi-Fi network).
As the desire for better security, privacy, and encryption increases, I welcome the security researchers’ work and Apple’s “minor” update. Even if they don’t include any exciting new features, like new emoji.