iOS & iPadOS 16.4.1
Released:
April 7, 2023
Executive Summary:
Late last week, Apple released incremental updates for all currently-supported iOS and iPadOS devices. In addition to some minor bug fixes, the updates include fixes for two security vulnerabilities. Apple has learned that one or both may have been exploited in the wild. Because threat actors already have access to exploits targeting these vulnerabilities, there is an increased sense of urgency to patch and protect potentially affected devices.
Andy's Analysis:
The two vulnerabilities fixed in this incremental update are critical. Between the two, the WebKit vulnerability is more concerning to me, particularly for High-Value Targets (HVTs) and Very Important Person(s) (VIPs). This type of WebKit code execution is the meat and potatoes of APT-level exploitation. Adversaries in this domain are looking for zero interaction, surreptitious code execution attack chains. WebKit must act as a sort of shield between the user, the kernel, and the wild-west open internet. It has many robust protections in place, including sandboxing, thread isolation, and a host of binary hardening tweaks. Additionally, all browser apps for iOS run on the WebKit engine, under the hood. Each third-party browser is effectively a GUI wrapper sitting on top of Safari. This is required by Apple policy. It is up for debate as to whether this security control has been effective at its intended purpose. However, as a result of this partially homogeneous browser ecosystem, WebKit vulnerabilities are quite valuable.From a technical standpoint, users who have automatic OS updates enabled will see this patch automatically pushed faster than a major or minor point update. Apple staggers the push of automatic updates based on the patch’s point update type (major, minor, incremental) and other on-device analytics. In short, as an example, a device should self-update from 16.4 to 16.4.1 much faster than it would from 16.3.2 to 16.4.
Wrap-up:
Keeping up with proper patching cadence is a mission-critical, never-ending task in our world. Unless there is a clear reason to avoid a specific update, security-conscious users and admins should be amongst the early patch adopters. This update is considered incremental, the lowest tier of patch importance. My advice would still be to prioritize patch deployment for any devices used by HVT/VIPs in your environment. Get the C-suite updated and then pivot to general/global deployment.Discussion:
- Do you allow any development builds of iOS or iPadOS in your production environment? Have you found any legitimate use cases for doing so?
- Does your org use one MDM solution for all Apple devices or are there multiple tenants/subestates?
- What is your most requested feature or fix for Apple enterprise offerings?