Apple has released iOS 11.4, presumably with the new 7-day USB shutout feature we wrote about recently.
If the word “presumably” above sound vague, it is, because this particular update didn’t arrive with its usual documentary certainty.
Regular readers will know I’m a proponent of prompt security updates, and that I like to say, “Patch early, patch often,” yet this time I wasn’t first out of the blocks – I found out about the new iOS almost by accident.
That’s because I made a routine visit to Settings → General → Software Update on my iPhone yesterday, without any notifications from Apple to clue me in.
(Whichever device, operating system or apps you use, and no matter how aggressively and automatically you’ve configured your patching process, it’s worth doing a manual cross-check every so often – just in case you’re out of date but didn’t know it.)
Anyway, there it was: iOS 11.4, ready to install.
Given my public “patch early” proselytising, I could hardly say, “No.”
So I grabbed it and rebooted – all went fine, I am pleased to say, and the installation process felt a lot faster than usual, so I’m as up to date and as well-patched as the fastest and the best Apple fanbuoy amongst us.
However, everything about the security part of iOS 11.4 is still a mystery, to me at least.
I’m signed up to Apple’s security advisory emails, have been for years, and I’ve generally found them timely enough to prod me into being amongst the very first to update, on both my Mac and my iPhone.
This time, nothing.
I jumped to the conclusion that I’d been thrown off the list as an understandable but regrettable side-effect of all the GDPR panic out there.
But signing up again simply provoked an email confirming that I was already on the list, and not to worry.
A trip to Apple’s handy security updates landing page, HT201222, didn’t help much, either.
Presumably there are security fixes in the iOS 11.4 build – not only does it beggar belief that nothing would have come up and been sorted since last time, but also Apple is explictly listing the new version under the heading “security updates”.
More than years ago, we urged Apple as follows:
If anyone at Apple is reading this, please beg your product managers to reorganise their update workflow so that the security notifications go live at the same time as, or before, the actual updates are published. After all, you invite your users to visit [HT201222] from the start; I suggest that it’ll be much easier to persuade people to be early adopters if you have all your informational ducks in a row from the start.
After that, things got much better, with Apple typically getting its security advisories out at the same time as its patches – a vital practice in my opinion, especially given that Apple’s official policy is not to say anything at all about security issue, not a thing, until the patches are ready.
What to do?
Should you update if your phone hasn’t updated itself already?
I’m still saying, “Yes,” but from the tricky position of not having an explictly compelling reason this time other than habit. (Go to Settings → General → Software Update.)
Should you ask Apple to revisit that security advisory workflow once again, as we did back in 2013?
Why not?
Tony Rowe
So… with an unannounced and unsolicited piece of s/w on your phone you went ahead and installed with no check that it wasn’t a piece of malware that had somehow evaded your defences.
And it went more quickly than usual. Wow.
So perhaps it wasn’t an IOS upgrade (other than the version no) but just loaded some malware that is still to bite you.
Perhaps next time you access your bank acct and release your credentials!!
Paul Ducklin
No, that’s not what happened at all.
It wasn’t unannounced, given that I invited Apple to tell me whether there was an update. It wasn’t unsolicited, for exactly the same reason. It wasn’t unchecked, given how it was downloaded and from where it came.
It *was* an iOS upgrade, and that’s that as far as I can tell.
ejhonda
Oh, and thanks for the heads up on the iOS update being available.
ejhonda
Tony, I’m going to take a wild guess that you don’t own an Apple device.
Epic_Null
I wonder if information was missing because it was released earlier than planned?
Paul Ducklin
I was wondering that… I *think* I found one thing that seems better after the update, though, even if Apple doesn’t consider it a vulnerability:
https://nakedsecurity.sophos.com/2018/05/31/we-found-1-good-reason-to-get-apples-ios-11-4-update/
Sam
It seems to me the issue is that the corresponding macOS update is delayed for some reason. (I speculate Intel microcode for Spectre 3a/4) Because of the shared code between the platforms, Apple is withholding the changes until macOS 10.13.5 comes out.
Paul Ducklin
I like that. It’s just spectrulation (sorry!) but I was suprised to see nothing for macOS.
Wilderness
Such lack of transparency! It’s funny that Apple started out as the little guy against the establishment, and now, they have become what they hate: they are the establishment. Think different? No, think like all the other sheep and buy overpriced Apple gear again and again.
John Valenti
There is a security document listed there now. (I was curious if they included the 7 day USB port lockout feature, but don’t see it mentioned)
Paul Ducklin
Yes, macOS got its update last night (I am running 10.13.5 now) and so it looks as though the comment that “the security notes are awaiting a possibly dealyed macOS update” might be spot on.
The iOS security advisory lists two fixes to the Messages app, including one that is described as fixing a bug by which “processing a maliciously crafted message may lead to a denial of service.”
So I am assuming there is truth to my guesswork here:
https://nakedsecurity.sophos.com/2018/05/31/we-found-1-good-reason-to-get-apples-ios-11-4-update/
As for the USB lockout feature, that’s not a security patch or update, and those security advisories generally seem to stick to fixes rather than new stuff.
Steve
I received an an update notice for update # HT201222 on my computer(not a Mac). I have no apple products so I started checking. the first thing I checked was the security certificate, and found that it had expired in 2014. So in my mind anyway it might be bogus so no install. Especially with no explanation for what the update is for. Found your site while trying to find out what it is, or isn’t. Just thought I’d let you know.
Paul Ducklin
“HT201222” is Apple’s generic “security bulletin” page reference – it’s the ID of the security notification that lists all the other security notification pages. (An index page, if you like.)
So there’s a ring of truth there, at least for anyone who has a Mac, because they will probably have encountered those magic characters “HT201222” before, even if they have never visited the relevant page.
But the fact that you don’t have a Mac and the alleged “update” was hosted on an insecure web server tells you to avoid any downloads (or other content) on that site!