Another day, another nag about yours iPhone and Mac that an update is ready. And from Chrome. And for Microsoft, it’s Patch Tuesday, so that’s another round of installs on your plate. As tempting as it may be to take them out onto the street –why not just wait iOS 15 in a few weeks? – You want to go ahead and do this.
Yes, this is standard advice; Of course, you should keep your software as up-to-date as possible. You could even Enable auto-updates for everything and skip manual maintenance. But if you haven’t, today is an especially good day to keep track of things, as Apple, Google, and Microsoft have released security fixes for security vulnerabilities in the past two days that hackers are actively exploiting. It is a Zero day Patching extravaganza and you don’t want to ignore your invitation.
Update your iPhone, Mac, and Apple Watch
The heap’s biggest headline grabber was the exploit chain known as ForcedEntry. The attack, allegedly linked to infamous spyware broker NSO Group, first became known in August when the University of Toronto’s Citizen Lab announced that there was evidence for “Zero-click” attacksthat do not require interaction of the target to prevail, are used against human rights defenders. Amnesty International found similar forensic traces from NSO Group malware in July.
You may be right to ask: if these attacks were reported a few weeks ago – and the attack has been active since at least February – why is there a solution only now? The answer seems to be, at least in part, that Apple was working with incomplete information until Sept. 7, when Citizen Lab discovered more details about the ForcedEntry exploit on the phone of an activist from Saudi Arabia. Not only did they discover that ForcedEntry targeted Apple’s image rendering library, it also affected macOS and watchOS in addition to iOS. On September 13th, Apple pushed for fixes for all three.
“We would like to commend Citizen Lab for successfully completing the very difficult work of obtaining a sample of this exploit so that we can develop this fix quickly,” said Ivan Krstić, director of security and engineering at Apple. “Attacks like the one described are sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals. While that means they aren’t a threat to the overwhelming majority of our users, we continue to work tirelessly to keep all of our customers safe and we’re constantly adding new safeguards to their devices and data. “
It’s not just spin; It is true that only a very small number of Apple customers are at risk of NSO Group malware ending up on their phones. As a rule of thumb, if for any reason an authoritarian government wants to read your writing, you may be at risk. So by all means patch now if you are, but also know that the next million dollar exploit is always around the corner.
Even if you’re not a dissident, it’s worth pushing through this update. Now that some details are known, the chances are that less sophisticated crooks are attempting to attack the same weakness. And here, too, it is good hygiene to keep your software as up-to-date as possible.
Fortunately, making sure your iOS, macOS, and watchOS software is up to date is pretty easy. Go to on your iPhone or iPad Settings> General> Software update. Tap Download and install to get iOS 14.8 on your device, and while you’re there, turn on automatic downloads and installs. Note, however, that automatic updates will only occur when your phone is charged and connected to WiFi overnight. You can also update the Apple Watch from your iPhone; Go to the Watch app, tap the My clock Tab, then General> Software update. Tap on the watch itself Settings> General> Software update. For macOS, go to the Apple menu and then click System Settings> Update Now.
Sorry Microsoft fans, you’re hooked too. A week ago, the company announced that it is actively exploiting a zero-day vulnerability in Windows. Instead of the nation-state actors to whom the NGO Group sells its exploits, the error in MSHTML – the rendering engine used by Internet Explorer and Microsoft Office – is circulating among cyber criminals.
“Microsoft is aware of the targeted attacks that attempt to exploit this vulnerability using specially crafted Microsoft Office documents,” said the company in a security bulletin last week. If you open a compromised Office file, a hacker could gain access that can remotely execute commands on your computer. And while Microsoft first pointed out a few ways you can prevent a successful attack even without a patch, security researchers have figured out quickly how to overcome these workarounds. Not only that, but Bleeping Computer as a safety news site too reported This week hackers have been actively sharing details on how to exploit the vulnerability on forums for days before the patch was available.