Apple OS updates patch multiple security holes

Users of Apple mobile devices are being urged to upgrade their phones and tablets to the latest version of iOS 14.5 in order to mitigate the impact of a number of common vulnerabilities and exposures (CVEs), some of which appear to be being exploited by malicious actors.

The launch of iOS 14.5 had already been hailed as a pivotal moment by privacy advocates as it introduces long-awaited controls on how third-party apps – such as Facebook – can track iPhone users.

The new operating system (OS) fixes more than 40 CVEs – a full list is available from Apple – including an arbitrary content execution vulnerability in WebKit Storage, CVE-2021-30661, which Apple says may already have been taken advantage of.

At the same time, an update to macOS – Big Sur 11.3 – also fixes multiple CVEs, including one that appears to be being actively exploited to deliver the Shlayer malware, according to threat researchers. A list of these vulnerabilities, some of which are common to the mobile update, is available from Apple.

Meanwhile, the new privacy feature makes apps that use Apple’s ID for Advertisers (IDFA) identifier display a standardised warning and an opt-in option before installation. Users had previously only been able to opt out after installation.

This is expected to have a transformational effect on the online advertising market, and has been badly received by the likes of Facebook, which has based its entire business model on scraping and sharing as much of its users’ data as it can. It has said the change to IDFA could negatively impact small businesses’ ability to find new customers from adverts by 60%.

Ray Walsh of ProPrivacy described the privacy overhaul as a massive win for consumers: “Apple’s release of iOS 14.5 this week will finally give users the ability to prevent themselves from being tracked by app developers using the IDFA code,” he said.

“Preliminary figures appear to reveal that around 80% of Apple users intend to deny consent for apps to track their IDFA as they move around the internet, a significant number which demonstrates that privacy is something close to those users’ hearts.

“It is great to see Apple forging ahead with its plan to provide added transparency and privacy controls to its users, and we can only hope that consumers opt to improve their privacy by denying consent to IDFA tracking.”

In an updated blog post, Dan Levy, vice-president of ads and business products at Facebook, said Apple’s prompt discouraged people from giving their permission to have their web use tracked by Facebook and provided little detail as to what their decision ultimately means.

“We disagree with Apple’s approach but will be showing their prompt to ensure stability for the businesses and people who use our services,” he said.

“Apple’s new prompt suggests there is a trade-off between personalised advertising and privacy, when in fact we can and do provide both. The Apple prompt also provides no context about the benefits of personalised ads.”

Levy said Facebook would also now show a screen of its own, alongside Apple’s, which will provide more information about how the social media platform uses personalised ads “which support small businesses and keep apps free”. He claimed this would help users “make a more informed decision”.

Levy added: “If you accept the prompts for Facebook and Instagram, the ads you see on those apps won’t change. If you decline, you will still see ads, but they will be less relevant to you. Agreeing to these prompts doesn’t result in Facebook collecting new types of data. It just means that we can continue to give people better experiences. We feel that people deserve the additional context, and Apple has said that providing education is allowed.”