Apple has long enjoyed a reputation for being secure, with fewer hackers targeting users on those platforms, and well-designed software that wasn’t open to vulnerabilities. But as Apple is becoming a bigger player in business environments there are more incentives for bad actors to try and uncover and exploit weaknesses.
Unfortunately, Apple is increasingly affected by zero-day vulnerabilities in their updates, with two new issues from last week drawing large-scale attention. Apple has already faced 5 vulnerabilities in Q1 of this year. This is coming after a record-breaking 12 vulnerabilities in 2021.
The first of these vulnerabilities affected Apple’s mobile platforms; iOS and IPadOS, while the other impacted macOS. The vulnerability on mobile devices allowed a malicious actor to issue commands on a device with kernel privileges. In the macOS vulnerability, a bug in the Intel Graphics Driver allowed access to kernel memory.
Hackers are increasingly quick to find and exploit Apple Zero-days, which may be why more vulnerabilities are being detected over the past two years. The two most recent ones were reported by an anonymous source. It could very well be that more vulnerabilities were never detected or exploited in the past. At the same time, the increasing rate of publicized, exploited bugs does tarnish Apple’s security reputation. At the same time, they still appear to enjoy an edge over Microsoft and Google; who experienced anywhere between 21 and 16 zero-days in 2021.
Some security experts are raising further warning flags about Apple’s patches to these recent vulnerabilities. Although officially identified to affect max OS Monterey, Joshua Long at Intego thinks it’s likely that the bug will impact the older Big Sur and Catalina OS versions, which have not been patched. Similarly, users still on iOS 14, which is no longer being supported with security updates, are left exposed to this vulnerability. Joshua Long estimates as many as 35-40% of Macs may still be in danger.
Cyber security headline stories like these frequently reinforce that security is a group project. As users, we rely on our platforms and devices to be securely designed. However, even the most security-conscious developer won’t be able to create perfectly secure products all the time. Researchers and white hats perform essential service by reporting vulnerabilities like this so that they can be fixed. Security is hard and we need to work together.