Mistakes happen—even at the world’s leading companies—as the raft of security announcements for Microsoft, Apple and Google platforms in recent weeks shows all too well. And so, accepting that, it comes down to what you do when it happens. And Apple is arguably leading the way in the speed and effectiveness of its responses.
On Monday [August 26], Apple released an emergency fix for the iPhone. In a highly-publicized and embarrassing errors, the Cupertino tech giant had accidentally reopened a vulnerability in its iOS 12.4 release that enabled a current generation iPhone to be jailbroken and therefore hacked. Now iOS 12.4.1 slams that particular door shut once again.
The issue for users was that the vulnerability (while open) could allow a dangerous hack to be installed on devices through downloaded apps, with the usual protections to prevent the malware mounting an attack across the device being down.
There was shock (and some excitement) in the Infosecurity community at such a glaring error from Apple. Yes, the vulnerability leaving devices open to attack was a potential disaster for the company. But the idea of a modern jailbroken iPhone was an unexpected gift for some in the community. A jailbreak had been released very efficiently as soon as Apple left its backdoor open.
Apple’s notes on the emergency release acknowledge that it prevents the potential for “a malicious application to execute arbitrary code with system privileges,” through “improved memory management.” Apple credited Ned Williamson who sometimes works alongside Google Project Zero for identifying the vulnerability, as well as @Pwn20wnd “for their assistance” in proving the jailbreak.
Apple made a huge mistake. And now they have fixed it and done so quickly. Apple quickly addressed the recent Bluetooth KNOB vulnerability, and when the Zoom conference calling exploit was published, where poor software architecture left devices open to attack, Apple rolled out a mandatory release to its MacBooks to fix it.
Apple has locked down its ecosystem in a way that others have not. It has advantages and limitations. But when the company has been tested in recent weeks, at least in my view, they have done the right things to maintain confidence in the brand. Not all of the company’s peers can say the same.