Another day, another nag from your iPhone and Mac that an update is ready. And from Chrome. And for Microsoft, it’s patch Tuesday, so that’s another round of installs on your plate. As tempting as it may be to kick these down the road—why not just wait for iOS 15 in a few weeks?—you’ll want to go ahead and get these done.
Yes, this is standard advice; you should keep your software as up to date as possible as a matter of course. You could even turn on auto-updates for everything and skip the manual maintenance. But if you haven’t, today is an especially good day to be on top of it, because Apple, Google, and Microsoft have all pushed security fixes in the past two days for vulnerabilities that hackers are actively exploiting. It’s a zero-day patching extravaganza, and you don’t want to ignore your invite.
Update Your iPhone, Mac, and Apple Watch
The biggest headline-grabber of the bunch has been the exploit chain known as ForcedEntry. Reportedly tied to the notorious spyware broker NSO Group, the attack first came to light in August, when the University of Toronto’s Citizen Lab revealed that it had found evidence of “zero click” attacks, which require no interaction from the target to take hold, being deployed against human rights activists. Amnesty International found similar forensic traces of NSO Group malware in July.
You might rightly wonder: If these attacks were reported a few weeks ago—and the attack has been active since at least February—why is a fix only available now? The answer, at least in part, appears to be that Apple was working with incomplete information until September 7, when Citizen Lab discovered more details of the ForcedEntry exploit on the phone of an activist from Saudi Arabia. They ascertained not only that ForcedEntry targeted Apple’s image-rendering library, but that it affected macOS and watchOS in addition to iOS. On September 13, Apple pushed fixes for all three.
“We’d like to commend Citizen Lab for successfully completing the very difficult work of obtaining a sample of this exploit so we could develop this fix quickly,” said Apple head of security and engineering Ivan Krstić in a statement. “Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals. While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.”
That’s not just spin; it’s true that only a very small number of Apple customers are at risk of NSO Group malware landing on their phones. A basic rule of thumb: If there’s any reason an authoritarian government might want to read your texts, you might be at risk. So, definitely patch right now if that’s you, but also know that the next million-dollar exploit is always just around the corner.
Even if you’re not a dissident, there’s value in pushing this update through. Now that some of the details are out, there’s a chance that less discerning crooks might try to attack that same weakness. And again, it’s good hygiene to keep your software as up to date as possible.
Making sure your iOS, macOS, and watchOS software is up to date is fortunately pretty straightforward. On your iPhone or iPad, head to Settings > General > Software Update. Tap Download and Install to get iOS 14.8 on your device, and while you’re there go ahead and toggle on automatic downloads and installs. Just note that automated updates won’t go through unless your phone is charged and connected to Wi-Fi overnight. You can update the Apple Watch from your iPhone as well; head to the Watch app, tap the My Watch tab, then General > Software Update. From the watch itself, tap Settings > General > Software update. For macOS, head to the Apple menu, then click on System Preferences > Update Now.
Sorry Microsoft fans, you’re on the hook as well. A week ago, the company disclosed that a zero-day vulnerability in Windows was being actively exploited. Rather than the nation-state actors that NGO Group sells its exploits to, the flaw in MSHTML—the rendering engine used by Internet Explorer and Microsoft Office—has been circulating among cybercriminals.
“Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents,” the company said in a security bulletin last week. If you open a tainted Office file, a hacker could get access that lets them execute commands on your machine remotely. And while Microsoft at first detailed some ways you could prevent a successful attack even without a patch, security researchers quickly figured out how to beat those workarounds. Not only that, but as security news site Bleeping Computer reported this week, hackers have actively been sharing details on forums about how to exploit the vulnerability for days before the patch was available.