Apple pushes out iOS security update that’s more tight-lipped than ever

Credit to Author: Paul Ducklin| Date: Fri, 02 Dec 2022 21:02:43 +0000

It’s just under a month since iOS 16.1.1 came out for Apple iPhone users, fixing a pair of bugs that were listed with the worrying words “a remote user may be able to cause unexpected app termination or arbitrary code execution”.

Both macOS 13 Ventura and iPadOS got updated at the same time, with a pair of security bulletins published on Apple’s web site.

Now, there’s another security update, apparently moving iPhone users only up to version iOS 16.1.2.

We did it so we could report back to you

We have installed it, and after a comparatively modest download (by Apple standards, at least) of about 250MBytes, the reboot-and-update process completed reassuringly quickly, and our phone still seems to be working just fine.

But this update is mysterious even by Apple’s usually tight-lipped standards, with the company living up to, and perhaps even beyond, its official statement that the it “doesn’t disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are generally available.”

Apple insists that this veil of secrecy exists “[f]or the protection of our customers”, and if silence really is golden when it comes to cybersecurity updates, then we can only assume there’s an awfully serious bug getting fixed this time round.

Indeed, we haven’t yet received an Apple Security Advisory email, which is the usual way we hear about the latest patches, and Apple’s official security update portal HT201222 says nothing more than this:

iOS 16.1.2 (details available soon) – iPhone 8 and later – 30 Nov 2022

It’s now 2022-12-02, two days after than the official release date shown above, and we can’t tell you anything more than what we learned from the popup that appeared when we went to Settings > General > Software Update.

This assured us that “this update provides important security updates”, and sent us back on a fruitless loop back to the uninformative HT201222 page for “information about the security content”:

As you can see from the HT20122 screenshot above, this is, for now at least [2022-12-02T21:00Z], an iPhone-only patch, with no updates listed for any versions of iPadOS, macOS or Apple’s Watch and TV platforms.

What to do?

As mentioned above, we updated right away, on the grounds that the mystery only served to convince us that something serious was probably afoot…

…and because we are in the fortunate position of having an Android phone to fall back on if something goes wrong.

We therefore figured we’d take one for the team (by which we mean for the Naked Security community!) and see if there were any compelling reasons to advise you against the update.

Fortunately, we didn’t encounter any trouble that made us think you shouldn’t update, and many iPhone users probably either already have or will soon receive the update automatically.

But if, like us, you prefer to have at least some technical information to go on first, then, as we pointed out right in the headline itself, you’ll find Apple less communicative than ever this time.

Keep your eyes on that HT20122 portal page to keep up with the full story, and to watch out in case other Apple platforms (e.g. iPadOS, macOS) or earlier supported versions (e.g. iOS 15) get belated-but-related updates for the same security holes.

You’re welcome.


http://feeds.feedburner.com/NakedSecurity

Leave a Reply