Canada

Why Apple products are more vulnerable than ever to security threats

Couldn’t attend Transform 2022? Check out all the summit sessions in our on-demand library now! Watch here.

As the largest technology company in the world, reaching a market value of $2.6 trillion, you’d be forgiven for thinking that Apple’s position is unshakable. However, the discovery of two new zero-day vulnerabilities suggests that the vendor may be more vulnerable to threats than previously thought.

Last week, on August 17, Apple announced that it had discovered two zero-day vulnerabilities for iOS 15.6.1 and iPadOS 15.6.1. The former would allow an application to execute arbitrary code with kernel privileges, the latter would mean that processing maliciously crafted web content could lead to arbitrary code execution.

With the adoption of macOS devices in enterprise environments steadily increasing, reaching 23% last year, Apple products are becoming a bigger target for enterprises.

Traditionally, the wider adoption of Windows devices has made them the number one target for attackers, but as corporate use of Apple devices increases due to the pandemic-accelerated telecommuting movement, threat actors will spend more time targeting Apple devices , to gain initial access to environments and enterprises must be prepared.

An event

MetaBeat 2022

MetaBeat will bring together thought leaders to provide guidance on how the technology metaverse will transform the way all industries communicate and do business on October 4 in San Francisco, California.

Register here

So how bad is it really?

These newly discovered vulnerabilities, which Apple says are being “actively exploited,” allow an attacker to remotely deploy malicious code that would allow an attacker to infiltrate a corporate network.

“A compromised personal device can lead to initial access to the corporate environment. Defenders should immediately release patches and send notices that employees should patch any personal iPhones, iPads or Macs,” said Rick Holland, CISO at digital risk protection provider Digital Shadows.

The problem is that security teams can’t update employee devices the way they could with on-premises resources, and as the line between work and personal devices becomes more blurred, it’s harder to ensure that all infrastructure is adequately maintained.

“Even if you can patch corporate devices, you can’t update all the personal devices that employees might be using,” Holland said.

Given that the lines between work and personal devices are increasingly blurred in this era of hybrid work, with 39% of workers using personal devices to access corporate data, every employee using Apple devices to access key resources , may put regulated data at risk.

As a result, even organizations that do not use Apple devices on-premises cannot guarantee that they are protected against these vulnerabilities.

The answer: A patch

In response to Apple’s new vulnerabilities, CISOs and security leaders must verify that all on-site and remote personal devices have the necessary patches. Failure to do so could leave an entry point open for an attacker to exploit.

The most effective way to address the risk of these new vulnerabilities is not only by using mobile device management solutions to help push updates to connected devices remotely, but also to focus more on educating employees about the risks of failure to charge personal devices.

“These updates are a security awareness opportunity to discuss the risks to employees’ lives and provide remediation instructions, including how to enable automatic updates,” Holland said.

VentureBeat’s mission is to be a digital town square for technical decision makers to gain knowledge about transformative enterprise technologies and transactions. Learn more about membership.