Earlier this week, Apple released iOS 10.3.2 for iPhone and iPad. Any X.X.1, X.X.2, etc. update is typically considered a minor update which adds no new features and just addresses some bugs and/or security issues. Sure enough, the release notes for iOS 10.3.2 say that it “includes bug fixes and improves the security of your iPhone or iPad.” You can get more details on the security improvements on the Apple website; where you will learn that iOS 10.3.2 fixes things like memory leaks that could allow an app to get kernel privileges, a flaw that could let an app execute arbitrary code, and a memory issue that could allow an app to cause a denial of service. But the concept of “security updates” may seem so unexciting that I’m sure that many folks conclude that they don’t want to waste the time installing the update.
This week we learned, once again, that security patches are important. As noted in numerous news stories such as this one from the Washington Post, a few years ago the NSA developed something it called EternalBlue, a hacking tool that the NSA could use to access computers to help U.S. interests. But the tool was stolen by hackers, and after the NSA discovered that, the NSA revealed the tool to Microsoft so that Microsoft could patch the flaw in Windows that the tool exploited. Microsoft released that patch in March of 2017, but many computers had not yet been updated, and as a result … well, I presume you heard about all of the computers around the world that were the victim of ransomware a few days ago, including a number of hospitals in London. As the Post article notes: “The malicious code at the heart of the WannaCry virus that hit computer systems globally late last week was apparently stolen from the NSA, repackaged by cybercriminals and unleashed on the world for a cyberattack that now ranks as among the most disruptive in history.”
From a worldwide perspective, WannaCry may be one of the most disruptive cyberattacks. But for Rhode Island law firm Moses Afonso Ryan, the most disruptive cyberattack was last year when a hacker took control of its computers and the firm had to pay a $25,000 ransom to get access to its systems again after three months. Even worse, as reported this month by Debra Cassens Weiss in ABA Journal, the law firm lost $700,000 in billings due to the attack, and its business interruption insurer is denying coverage.
It is unfortunate, although perhaps unsurprising, for a law firm to be a victim of hackers. I’m more amazed that the NSA — which must be one of the most security-conscious organizations in the world — could even be the victim of hackers. If the NSA is vulnerable, anyone is vulnerable. And as a side note, this is the sort of thing I was thinking of when I noted in the past during the FBI vs. Apple litigation that it was foolhardy for the FBI to ask Apple to create a backdoor for the government to access iPhones. Even if a special key was created only for the government, and even if the government honestly tried to keep that key secret, the risk of it being accessed by bad guys is simply too great to ignore.
However, my goal today is not to reignite the FBI vs. Apple debate, but instead to point out that virtually all software and hardware can have bugs and flaws. Fortunately, when these problems are discovered, they can typically be patched. I don’t think I’ve ever seen an iOS update that doesn’t include at least some security patches. Hopefully, iOS 10.3.2 wasn’t patching anything as dangerous as the Windows flaw used by EternalBlue and the WannaCry virus, but you never know. What I do know is that when Apple (or Microsoft or any trusted vendor) releases a security update, you should install the update. Maybe you don’t want to install it immediately, just in case the update itself has a flaw. That happened in 2013 with iOS 6.1, in 2014 with iOS 8.0.1, in 2016 with iOS 10.0, and other times as well. But Apple typically discovers those bugs very quickly, and then pulls the update until the issue is fixed. Once an update has been out for a day or two, you can feel safe installing the update. Of course it is always best to backup your iPhone or iPad before installing any update. (I usually practice what I preach, but to be honest sometimes I just install the update and cross my fingers.)
If you haven’t yet updated to iOS 10.3.2, it is time to do so now. Open the Settings app, tap General, and tap Software Update.
