Microsoft warns iOS isn't as secure as you think

Microsoft_Cybercrime_Center

Microsoft has warned customers that iOS is no more secure than Android, contradicting commonly held beliefs about the relative security of the two platforms. The company said that recent attacks targeting iOS prove it's as vulnerable as Android.

Brad Anderson, Microsoft's corporate vice president for enterprise and client mobility, set out his views in a company blog post last week. He used the Pegasus iOS spyware, revealed last month, as an example of severe vulnerabilities present in iOS. Pegasus is capable of monitoring everything a user does on their device, leaving them vulnerable to further attack.

The malware was analysed by Lookout Security, a Microsoft partner. In its report, Lookout described Pegasus as "the most sophisticated attack we've seen on any endpoint." Since it originates from a leading iOS security firm, Anderson said the statement reveals a lot about the state of security on Apple's platform.

Anderson is attempting to challenge the trust that consumers typically place in Apple. Android threats are far more numerous and gain more widespread attention than attacks on iOS. iOS is not immune to potentially devastating malware though, in contradiction of the views of some customers. Anderson said Pegasus should be a "pretty startling wake-up call" that everyone is "under constant persistent attack" on every platform.

Microsoft executives have reportedly indicated "unwavering implicit trust" in Apple's iOS "countless times," revealing how strong the association between Apple and security has become. The belief that Apple's platform is stronger than Android appears to derive from iOS' closed nature. Because it's a more controlled ecosystem, the attack surface is lower than for Android malware.

This view is dangerous, according to Anderson. Every mobile device is at constant risk of attack, regardless of the platform it runs. "I know for a fact that all the providers of mobile operating systems go to superhuman lengths to harden their platforms and do everything they can to deliver the most secure operating system possible," said Anderson.

However, iOS, Android and Windows all have vulnerabilities that expose them to potentially devastating attacks. Some platforms are targeted more frequently than others but this shouldn't influence people to make assumptions about a platform's security. Pegasus demonstrates that even a closed ecosystem can be infiltrated by some of the most complex mobile malware ever observed.

Coming from Microsoft, Anderson's argument represents a powerful message to businesses and consumers that iOS may not be all it seems. Pegasus has proven iOS presents a viable attack vector to cybercriminals. It has also demonstrated that malware has been commercialised to the point that it's an off-the-shelf product, available for purchase from the secretive NSO Group. According to Microsoft, the idea of a single platform being more secure than others is an urban myth. In real-world terms, any device can be hacked and every user is a target.

Tim Cook defended Apple's approach to security: 'Encryption is inherently great'

Apple CEO Tim Cook has robustly defended his company's strident approach to security in a new on-stage Q&A, declaring: "Encryption is inherently great."

The Cupertino tech exec spoke in Salt Lake City, Utah, as part of the US state's "Utah Tech Tour" event

Microsoft adds 'non-security updates' to security patches

MS16-023, billed as a “Security update for Internet Explorer” and issued on March 8, includes six “General distribution release (GDR) fixes”.

Five are innocuous as they address glitches like “Empty textarea loses its closing tag in Internet Explorer 11 after conversion from XML to HTML.”

But the last item on the list item 3146449, has the rather more interesting title “Updated Internet Explorer 11 capabilities to upgrade Windows 8.1 and Windows 7.”

A great many users just accept all Windows updates, so will never see item 3146449. Even if you are diligent enough to visit the page for MS16-023 you'll probably miss it, because it's far enough down the page that scrolling is required to see it.

Only once you visit 3146449's knowledge base page you'll find the following explanation for the patch:

This update adds functionality to Internet Explorer 11 on some computers that lets users learn about Windows 10 or start an upgrade to Windows 10.

We've no idea what that means, so have asked Microsoft what that sentence means in an effort to understand the sentence and the purpose of item 3146449.

Some users report that the update adds ads to older versions of Windows. Those ads include a button to initiate a Windows 10 upgrade.

Windows 10 is growing nicely, gaining one per cent of global market share in February alone. Microsoft's made no secret of its ambitions to quickly kill off Windows 8.x and its predecessors.

Advertsing

125X125_06





MonthList

CommentList