IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Apple breaks update policy to secure older iPhones and iPads against zero-day

It's been four years since the company patched an end-of-life device against a major vulnerability

Apple has made a rare exception to its policy of not patching older-than-officially-supported devices by releasing security updates for the iPhone 5s and newer following the ‘severe’ zero-days discovered in August.

The zero-day vulnerabilities affecting iOS, iPadOS, and macOS Monterrey essentially granted “administrative superpowers” to hackers, according to some security researchers.

The two ‘critical’ vulnerabilities could be chained together to gain control of an entire device with kernel privileges, Apple said at the time.

It meant attackers who managed a maliciously crafted web page could exploit an Apple device and assume control of features like the camera and microphone, and carry out other activities such as spying on apps and accessing nearly all data stored on the device.

Apple very rarely breaks its own policy of not applying security patches to unsupported devices. Apple currently supports iPhones as old as the iPhone 6, but this week’s updates push fixes to devices such as the iPhone 5s, iPad Air, iPad Mini 2, and the iPod touch (6th generation).

The last time it issued a backported fix for a major vulnerability was in 2018 when it updated older Macs to protect against the infamous Meltdown vulnerability affecting most Intel chips in use at the time of discovery.

The discovery of Meltdown was a significant one - Intel was the dominant chipmaker, for some time, in the PC and Mac market and the vulnerability was found to affect nearly every Intel chip from the previous 20 years. 

The exploitation of Meltdown would allow attackers to ‘melt’ the kernel-level restrictions on the chip’s hardware and potentially access highly sensitive protected data.

It’s common for tech companies to decide when a device goes ‘end of life’ - the point at which it will no longer receive security updates. It can make the creation and management of security fixes easier but companies have drawn criticism over the practice which has been seen by some as a way of forcing users to pay for newer hardware sooner than needed.

Apple, however, is known to be one of the companies that offer the most amount of updates to older hardware with the current policy extending to iPhone 6 devices, released in September 2014 - eight years ago.

Other manufacturers in the Android ecosystem offer comparatively fewer updates for their devices. The generally perceived average is that Android OS devices will receive three years of security updates.

This can vary by manufacturer, though. For example, Samsung offers four years of security updates (five for enterprise devices) and other companies like Xiaomi offer no guarantees on the number of security updates they will provide users.

The Apple zero-days explained and analysed

Apple fixed two zero-day vulnerabilities, that may have been actively exploited in the wild, earlier in August. 

The first of these, tracked as CVE-20220-32893, was a remote code execution (RCE) flaw in WebKit, Apple’s proprietary browser engine. 

Related Resource

Cyber resiliency and end-user performance

Reduce risk and deliver greater business success with cyber-resilience capabilities

Whitepaper cover with title and text, and image of pyramid cyber-resilience modelFree Download

The vulnerability was exploitable in any WebKit-enabled browser such as Safari and all in-app browsers on iOS and iPadOS. It meant that nearly all devices could be exploited given the prevalence of in-app browser use, regardless of whether the user’s default browser was changed from Safari or not.

The second flaw, tracked as CVE-2022-32894, was a bug that required the attacker to gain an initial foothold on the target device to exploit it. The aforementioned WebKit vulnerability would have granted the necessary privileges to exploit the second.

It was a kernel-level code execution bug and the pair together garnered widespread attention from the world’s media given the severity of the potential outcomes.

Apple releases security updates for its devices usually, at least, every month so it’s not uncommon for users to skip an update or two due to the time it takes to download and install them on each device.

The widespread reporting on the vulnerabilities could have influenced Apple to break its policy on providing security fixes for end-of-life devices - Apple has not commented on this explicitly, though.

Featured Resources

Accelerating healthcare transformation through patient-centred medtech solutions

Seize the digital transformation opportunities to streamline patient care and optimise patient outcomes

Free Download

Big payoffs from big bets in AI-powered automation

Automation disruptors realise 1.5 x higher revenue growth

Free Download

Hyperscaler cloud service providers top ten

Why it's important for companies to consider hyperscaler cloud service providers, and why they matter

Free Download

Strategic app modernisation drives digital transformation

Address business needs both now and in the future

Free Download

Recommended

Apple steps up user security with end-to-end encryption for iCloud
encryption

Apple steps up user security with end-to-end encryption for iCloud

8 Dec 2022
Apple and AMD will both be 'major customers' of TSMC's new Arizona fabs
Hardware

Apple and AMD will both be 'major customers' of TSMC's new Arizona fabs

7 Dec 2022
Android vs iOS: Which mobile OS is right for you?
Mobile

Android vs iOS: Which mobile OS is right for you?

30 Nov 2022
Best business smartphones 2022: The top handsets from Apple, Samsung, Google and more
Mobile

Best business smartphones 2022: The top handsets from Apple, Samsung, Google and more

11 Nov 2022

Most Popular

Empowering employees to truly work anywhere
Sponsored

Empowering employees to truly work anywhere

22 Nov 2022
Unpatched Exchange servers could be behind Rackspace's ransomware attack
zero-day exploit

Unpatched Exchange servers could be behind Rackspace's ransomware attack

7 Dec 2022
What we can learn from the supercomputer revolution
Sponsored

What we can learn from the supercomputer revolution

1 Dec 2022