ADVERTISEMENT

75% OFF on WinX Media Management Bundle (Lifetime License) This must-have media management bundle includes WinX DVD Ripper Platinum, WinX DVD Copy, WinX Video Converter Deluxe and WinX MediaTrans. Highlights: Rip encrypted DVDs, clone DVD disc, convert/download/compress/edit video, and manage iPhone. 75% OFF to get lifetime license – lowest price + free lifetime upgrade guarantee. Go to the bundle page now >

PATCH WATCH

By Susan Bradley

Apple’s recent releases encourage new hardware.

There are several people at my office who constantly purchase the latest iPhone or iPad, turning in their old devices in the process. I’m not that adventurous — I don’t recommend updating quite that fast.

However, I do recommend an upgrade if your phone is an older model, such as iPhone 8. Why? Because the best security is provided on the newest hardware, and because Apple has become more like Microsoft in requiring newer hardware to protect against snooping, zero days, and other risks.

I’m far from the only one who thinks this way. As noted in the Center for Internet Security (CIS) benchmarks, if you have users that are high-value targets, or think you might be one,

Physical security exploits against iOS devices are rarely demonstrated within two years of the release of the underlying architecture. For users whose physical iOS device(s) may be targeted, it is prudent to use the most recently released architecture.

You want the following devices, or a later model:

A “high-value target” is defined as a user who may be likely to experience a physical-level device attack. These individuals include politicians, journalists, activists, members of the military, civilian government personnel, business executives, and wealthy individuals. But even if you aren’t in one of those groups, a newer device will provide a better, more pleasing user experience and improve your security posture. It’s also the case that applications get updates to take advantage of the higher performance and new features of newer devices, which tends to make them slow down on older devices.

There are other reasons for new hardware, amongst them longer battery life; larger form factors, with displays that allow better readability; and better cameras. These things are not discussed as much after the initial marketing buzz dies down, but we rely on these pocket-sized devices for so much these days that updates become desirable. That’s especially true with the cameras — smartphones have almost entirely destroyed the consumer market for small cameras and camcorders. The smartphone cameras keep getting better and better, with manufacturers investing heavily in them.

I certainly don’t recommend updating this type of hardware every year, because that can be an expensive proposition. However, I do not keep iPhones or iPads for as long as I do Windows desktops and laptops.

Whether you are a high-value target or not, there are some settings you may want to check. At the top of my list is personalized advertising. Launch the Settings app and navigate to Privacy and Security | Apple Advertising, then set Personalized Ads on or off, as you prefer.

Whenever you get a new device, review its permissions and settings. The migration from one iPhone or iPad to a newer version is usually easy and thorough; but if you don’t check, you can’t be sure Apple did exactly what you prefer. Apple provides an iPhone User Guide with a section on Security & Privacy, which I recommend as a roadmap for performing a complete security check. It is comprehensive and includes such things as managing the information you share with people and applications, protecting email addresses, using iCloud Private Relay to browse more safely, and putting the phone in lockdown mode.

If you visit the iPhone User Guide, you’ll notice a dropdown at the top to select the appropriate version of iOS. As of this writing, that dropdown includes only iOS 16, 15, and 14. That should be a clue.

In iOS 16, a new option called “Install System and Data Files” (Settings | General | Software Update) lets users enable automatic security updates independently of iOS updates. This will allow you to get security-only updates while pushing off the major updates. By default, this option is enabled — and I recommend keeping it so.

More and more firms are starting to deploy Apple devices in a Microsoft network. In the last quarter, Mac hardware sales increased while Windows-based hardware decreased. Microsoft realizes this as well and, slowly, has been offering more and more tools and techniques to control Apple iPhones, iPads, and Macs in a domain setting. Microsoft’s Intune continues to get more and more features to manage and control Macs. For example, you can remotely wipe a device, should someone leave the firm and you need to redeploy the operating systems. There are several excellent online videos showcasing selective wipe as well as remotely erasing a device.

Be aware that Apple devices with Apple silicon have different manageability capabilities, as compared to those with Intel chips. As Nathaniel Strauss writes:

On a Mac with Apple silicon, the device reboots into the recoveryOS, where the only options are to restart, [shut down], activate, or erase the Mac. To activate the Mac, select an administrator user and provide the password. This activation step requires an internet connection.

Strauss goes on to warn that:

On Intel Macs running Big Sur the lock command still works as it has in the past. On Apple silicon though, instead of the lock command locking the Mac, it boots to recovery. Once in recovery, to get back to the installed OS with user data [intact], an admin account must authenticate. However, anyone can still choose to erase the disk and set the Mac up as new. Not much of a theft [deterrent]. The lock command has always been tied to EFI (and UEFI), and with EFI being gone on Apple silicon, Apple declined to port the feature over to the new boot process.

The Microsoft Intune team warns specifically of this issue:

A remote wipe for Apple silicon-based devices running macOS 12.0.1 or later requires a bootstrap token issued by Microsoft Intune.

Last March, Microsoft made the change to better support Apple silicon. You may need to run a GitHub script to check the status of your devices to ensure they are ready to be managed.

Generally speaking, Apple devices are similar to Windows when it comes to patch management. Even though you never want to be first on a new release, you also do not want to run your devices without updates.

As an example, I am still not recommending an update to the latest version of macOS Ventura for either home or business use. There are still too many side effects with business applications (such as Teams) to be recommending it at this time. Apple tends to support releases for at least three years, but during that time the newer releases get more support than the older ones. As noted by The Eclectic Light Company:

When the current version of macOS loses its general support, and starts its two years of security-only fixes, there are still many bugs left in it, which are only likely to be fixed in the new version.

Ventura inherits the same rapid-security patch code as iOS 16. It will receive smaller security patches long before they are incorporated into the larger OS releases. I’m hoping to recommend Ventura soon, but until then, just know that the process of Apple security issues will be better on newer operating systems.

Just as with Windows releases, newer is better. But sometimes it’s a bit bumpy getting there.

References

Join the conversation! Your questions, comments, and feedback about this topic are always welcome in our forums!

Susan Bradley is the publisher of the AskWoody newsletters.

FROM THE FORUMS

By Susan Bradley

Last week, there was an incident in the forums that was unexpected and of some concern.

Someone (let’s codename the person “Rogue”) signed up for a Plus membership, then used it to send direct messages (DMs) to several other members. The DM contained a solicitation.

One of the members contacted got in touch with me immediately. Though there did not appear to be anything overtly problematic, our member expressed reservations about the legitimacy of the solicitation. I made a quick, initial investigation, concluding that this was some sort of scam. Here’s what I did:

My actions relating to this incident make clear that I will not tolerate such behavior.

The solicitation was an offer to purchase a member’s Malwarebytes “Lifetime” license. That’s an important point here — Rogue was dangling cash. That should raise instant suspicion, just as it would if you got the same solicitation in your email. And why was the member who reported the matter suspicious? Simple, really — he doesn’t own such a license. And if he did, how would the scammer know?

There is little we can do to prevent this sort of thing. We can stop it only after we become aware. We very much appreciate our member’s alertness and his willingness to report the incident.

Also, DMs are private, which gives them an air of safety. But don’t let your instincts for secure behavior be overwhelmed with a lure. Don’t react immediately, do what research you can (check the profile of the person sending the DM), and let me know as rapidly as you can.

By the way, I will be making a change that should discourage any future Rogues. We’ve been planning the change for several months, and it will be announced in our Bonus issue next week.

Join the conversation! Your questions, comments, and feedback about this topic are always welcome in our forums!

ADVERTISEMENT

Enjoying the newsletter? Become a PLUS member and get it all!
	Don’t miss any of our great content about Windows, Microsoft, Office, 365, PCs, hardware, software, privacy, security, safety, useful and safe freeware, important news, analysis, and Susan Bradley’s popular and sought-after patch advice. PLUS, these exclusive benefits: Every article, delivered to your inbox MS-DEFCON Alerts, delivered to your inbox MS-DEFCON Alerts available via TEXT message Total access to the archive of nearly two decades of newsletters No ads Identification as a Plus member in our popular forums We’re supported by donations — choose any amount for a one-year membership.