Quick reminder first: headlines like this are often a sneaky way of ginning up traffic. It’s one of the oldest tricks in the book: just wrap any piece of declarative news (“Apple released a software update”) in imperative language (“you should update your Apple devices”).
Given the above, it’s easy to assume that publishers are once again crying wolf here, and we get that.
But you should actually consider listening this time, because this latest software update patches a major security flaw that Apple just recently discovered. (And if you just feel like reading, it’s still interesting info.)
Two FYIs on the Apple security-update thing:
1️⃣ It’s being called a “major” security flaw because of its access to sensitive information, NOT because it’ll brick your phone or because of gross negligence on Apple’s part. Cybersecurity is maddeningly complex by its nature, especially as devices’ technological capabilities grow, both separately and together. (Privacy and security are inherently at odds, and tech-connectedness requires you to give up some privacy by its nature.)
Apple has a good reputation for security, but that doesn’t mean their products are fully immune to issues like these.
2️⃣ The main vulnerability patched by the latest update had to do with zero-click attacks, which should not be confused with zero-day attacks. They can overlap, but they’re separate things and bad for very different reasons…
🅰️ Historically, most hacks and scams conducted over the internet require the victim to actively “take the bait” with at least one click. A person who is vigilant and skeptical enough (perhaps also paranoid) can avoid most such problems with vigilance and skepticism alone.
A zero-click attack basically means that the victim doesn’t have to do anything for the intruder to gain access to their device, not even a single errant click. Vigilance alone cannot protect you here. (Except, perhaps, when it comes to learning about the update you need to install.)
🅱️ Historically, and still today, software developers are aware of many potentially exploitable weaknesses in their code. That’s just the nature of the coding beast; it has nothing to do with the quality of work. Bug fixes and security patches are an iterative, continuous process; where they can’t (yet) eradicate problems outright, they can at least monitor them. But…
A zero-day attack basically means that the intruder is exploiting a vulnerability that the software company doesn’t know about yet.
A zero-day vulnerability is like an unlocked, unguarded, unmonitored door on the side of a massive military fortress. It’s harmless if the enemy doesn’t know about it, but it’s dangerous the moment it’s found, and it becomes increasingly damaging the longer the enemy can exploit it without detection.