NEVER-ENDING WARNINGS

After all, hardly a day goes by that we’re not receiving yet another warning that our favorite Windows PC, Android phone, Ring smart doorbell, or Roomba smart vacuum cleaner needs a software update to patch a weakness that seemingly came out of nowhere. We’ve become almost numb to the never-ending threat landscape, to the sky-is-falling warnings that it’s time, yet again, to batten down the hatches.

At the same time, it’s just as easy to understand why we can’t afford to ignore the warnings. And why it’s long past due for employers and employees alike to change their behaviors when it comes to updating their software. As software developers, this is an issue that hits particularly close to home for us and our clients – and we need to rethink how we manage cases like this.

THE NEW NORMAL

Despite the headlines this time out, these kinds of events happen on an almost daily basis, and they tend to play out in a consistent manner:

• First, a researcher or some other member of the broader community finds a weakness.
• Said researcher then lets the vendor know.
• The vendor assigns developers to build, test, and distribute an update.
• End-users must ensure it gets downloaded and installed.

In this specific case, anyone using a modern and currently supported Apple device needs to update to the following OS versions:

• iOS 15.6.1 or higher
• iPadOS 15.6.1 or higher
• macOS Monterey 12.5.1 or higher

In fairness to Apple, Microsoft, Google, and every other tech vendor, operating system software is incredibly complex, and vulnerabilities can lurk quietly amid the millions of lines of code, often for years on end. So there is no way any company – even one as powerful and resource-rich as Apple – can realistically or feasibly know up-front about every particular vulnerability, or every manner in which a vulnerability can be exploited. That explains why they ship with hidden flaws buried deep within them, and why those flaws tend to get discovered over time.

Even so, while this happens somewhat regularly, this particular case is especially worrisome – which largely explains why it received so much play in mainstream media.

Apple’s warning focused on two vulnerabilities – one in the kernel, the very core of the operating system, and the other in WebKit, which powers the browser – that could potentially allow an attacker to gain administrator-level access to a target device. This would allow them to take full control of the device, install any kind of malware or spyware that they wish, and harvest all data, contacts, authentication, you name it, all without the target user’s knowledge.

It means anyone who takes advantage of these weaknesses would essentially have the keys to the kingdom, and not applying the fix immediately would be the technological equivalent of leaving the front door of your house wide open as an invitation to criminals.

This particular event serves as a reminder that most of us are not taking security as seriously as we need to. Whatever role we play, from knowledge worker right up to CEO, we must sharpen our individual responses. From an organizational perspective, these are the priority areas that business and IT leaders need to focus on, particularly as hybrid and remote work styles become more entrenched:

1. Train end users better by incorporating software update best practices into existing courseware and documentation.
2. Implement change management to keep better track in-use hardware both in the office and remotely.
3. Include non-corporate hardware because personal devices running outdated code put corporate and resources at risk.
4. Involve HR to ensure the right messaging around software updates is being included in ongoing employee communications, and the right behaviors are being encouraged and rewarded.
5. Get employee feedback around what works for them, what doesn’t, and how they would improve end-user security. 

The immediate priority for all organizations supporting hybrid workers is to pay attention to these particular warnings from Apple, and ensure no device is left untouched. It certainly won’t hurt to apply updates immediately to all end-user devices regardless of vendor, as well.

Employees should also be encouraged to go into settings – for both corporate-owned as well as personal devices – and turn on auto-update, then check back regularly – every few weeks or so to ensure they’ve always got the latest version applied.

Here at STEP Software, we create software for a wide range of clients, and the benefits of a security-first culture around software updates extend well beyond simply avoiding unnecessary risk. By raising employee engagement around keeping devices, operating systems, platforms, apps, browsers, and technology in general fully up-to-date, organizations can ensure they’re getting the best possible returns out of their investments in tech.