Apple has updated macOS, iOS, iPadOS, and watchOS to fix two active vulnerabilities, one of which let attackers work around Apple’s BlastDoor protections.
The Catalina update seemed to install fine for me (rebooting three times during the installation process).
The iOS update didn’t want to install over-the-air on my iPod Touch. The first time I tried, it said that download failed. The second time, it said “To download and install this software update, connect your iPod Touch to your computer”. So I had to install the update via USB. It seems to have installed fine, but it started nagging me about enabling Siri (I had previously turned it off) in order to “complete the installation”. So I turned it on and off again and it stopped complaining.
iPhone says it needs a Wi-Fi connection. Except I’m traveling and the current Wi-Fi is one of those flaky insecure ones that you put the password in with a browser.
I understand completely. System updates are big - you generally don’t want to blow through your mobile data allowance for this.
Yes, I’m aware that you may have an unlimited plan, but even then there are often caps and you don’t want to end up rate-limited for the rest of the month if you go over.
As for using hotel wi-fi, a flaky connection can make the experience frustrating. I wouldn’t worry about security, since Apple uses HTTPS and signs their firmware installers.
If you need to wait a few days until you get home, I personally wouldn’t see a problem with it. If you’re concerned, just make sure to not open any downloaded PDFs on your phone until you get home. In my case, I don’t open very many, and they are almost always my own files that I’m downloading from my own Google Drive.
I just looked on my Update preferences, and yes, it says that 14.1.2 is available. I remember installing that a while ago with the last Security Update (2021-005), and when I look at “About Safari” it says: Version 14.1.2, and Finder Info for the Safari app also says Version 14.1.2.
I installed it and things seem fine, and About Safari says 14.1.2 (14611.3.10.1.7), so a (very!) slight bump in build number. So if you install it, it will be an update, not a reinstall.
It turns out that the CoreGraphics vulnerability fixed in these updates is being used by NSO Group’s Pegasus spyware to enable a zero-click exploit. In other words, a Pegasus customer (a government, theoretically) can take over an iPhone merely by sending it an image.
In other words, update your Apple devices right away.
That’s not to say that anyone reading this is likely at risk. As Apple’s head of security engineering told the New York Times:
“Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life and are used to target specific individuals.”
So unless you are personally of interest to a hostile government, there probably isn’t much to worry about.
My concern would be that now that the vulnerability has been fixed, it could be resold to lower-level criminals who would be happy to use it in a less targeted fashion against those who haven’t updated.
Well… My only guess is that they have somewhat different releases for specific mac models depending on specific hardware configs. It’s the last and most insignificant number, but mine still shows a .6 where yours shows .7.
According to what I just looked up, this is the same Pegasus exploit that has been used by nation states against various people for quite some time.
The big news is that someone appears to have delivered a copy to Apple, so now it will be possible for them to fix it (assuming it wasn’t the fix that just shipped today).
OK, well I can’t use any of those so it is moot for me. Fortunately I very seldom use iMessage - probably have used it less than a couple of dozen times in the last 10 years.
I’ve tried for a couple of days now to get the 11.6 to install in my iMac. I’ve restarted, closed all apps with just the software update. It gets to 10 minutes left and then doesn’t continue. Left it on overnight, and no update. Hoping the members here can provide a guide as it is a security update.