Were you unable to attend Transform 2022? Check out all of the summit sessions in our on-demand library now! Watch here.
As the biggest technology company in the world, hitting a market value of $2.6 trillion, you’d be forgiven for thinking that Apple’s position was unassailable. However, the discovery of two-new zero-day vulnerabilities suggests that the provider might be more vulnerable to threat actors than previously thought.
Last week, on August 17, Apple announced that it had discovered two zero-day vulnerabilities for iOS 15.6.1 and iPadOS 15.6.1. The first would enable an application to execute arbitrary code with kernel privileges, the second would mean that processing maliciously crafted web content may lead to arbitrary code execution.
With adoption of macOS devices in enterprise environments steadily increasing, and reaching 23% last year, Apple’s products are becoming a bigger target for enterprises.
Traditionally, the wider adoption of Windows devices has made them the number one target for attackers, but as enterprise usage of Apple devices increases due to the pandemic-accelerated remote-working movement, threat actors are going to spend more time targeting Apple devices to gain initial access to environments, and enterprises need to be prepared.
MetaBeat will bring together thought leaders to give guidance on how metaverse technology will transform the way all industries communicate and do business on October 4 in San Francisco, CA.
So how bad is it really?
These newly discovered vulnerabilities, which Apple reports are being “actively exploited,” allow an attacker to remotely deploy malicious code, which would allow an attacker to break into an enterprise network.
“A compromised personal device could result in initial access to the corporate environment. Defenders should push patches out immediately and send notifications that employees should be patching any personal iPhones, iPads, or Macs,” said Rick Holland, CISO at digital risk protection provider Digital Shadows.
The problem is that security teams can’t update employees’ devices the way they could on-site resources, and with the line between work and personal devices becoming increasingly blurred, it’s becoming more difficult to guarantee that all infrastructure is adequately maintained.
“Even if you can patch the corporate devices, you can’t update all the personal devices employees might use,” said Holland.
When considering that the lines between work and personal devices have become increasingly blurred in this era of hybrid working, with 39% of workers using personal devices to access corporate data, any employees using Apple devices to access key resources could be putting regulated data at risk.
As a result, even organizations that don’t use Apple devices on-site can’t guarantee they’re protected against these vulnerabilities.
The answer: Patching
In response to the new Apple vulnerabilities, CISOs and security leaders need to verify that all on-site and remote, personal devices have the necessary patches. Failure to do so could leave an entry point open for an attacker to exploit.
The most effective way to remediate the risk of these new vulnerabilities is not only by using mobile device management solutions to help push updates to connected devices remotely, but to focus more on educating employees on the risks of failing to patch personal devices.
“These updates present a security awareness opportunity to discuss the risks to employees’ lives and provide patching instructions, including how to enable automatic updates,” Holland said.