Welcome to Brown’s Bytes! Your weekly insight from Mobliciti’s CTO Andy Brown. Follow #brownsbytes
2nd August 2019
Just in time for the summer break when all the users are out of the office, we have an urgent security advisory on iOS.
The full details of the latest scary issue are here, but in summary: anyone running iOS 12 (so pretty much everyone) can be targeted by a malformed iMessage that could result in code injection onto the device. Just in the PoC detailed in the bug report, they created example code to read files from the device.
That’s about as serious as it gets folks. Your users open a message on their device and weird things start happening…
And unless you had Mobile Threat Defence, your users are defenceless to this happening and as an admin you’d be blind to this occurring. I know I keep making this point, but the idea that iOS is ‘secure enough’ just isn’t the case anymore. I’m not knocking Apple here – it’s just a fact of life that their software will have bugs and flaws like everyone else’s.
Now for the good news – it’s already patched (and fair play to Apple here – they don’t muck about with patching stuff). iOS 12.4 was released on the 22nd of July and has the fix for this.
But, the potential bad news (at least as far as I have seen personally this week) is that the little red notification to update isn’t being pushed out yet here in the UK. On the (admittedly small) sample I’ve looked at (one on EE and the other on Three) there wasn’t a prompt to update on the device, so your users might not be aware that there is an update out there…
So, screw the roaming charges if they’re all on holiday, you really need to tell your users to update! Attackers know they have a window of opportunity here.
Oh, and if you still think you don’t need Mobile Threat Defence then I’m sorry, but you’ve got your head in the sand… speaking of which, I’m off to the beach for a couple of weeks!