SecureMac, Inc.

Checklist 264: Updates and Sharing What You Know

January 28, 2022

AirTag security for Android users. Plus, a big round of Apple updates (with a fix for the WebKit IndexedDB vulnerability).

Checklist 264: Updates and Sharing What You Know

On this week’s show:

Apple’s January updates

Apple has released updates for all of its OSes, including current as well as older versions of macOS.

Here’s what you need to know:

iOS 15.3 and iPadOS 15.3

iOS and iPadOS are so similar as to be virtually the same operating system, so we’ll discuss them together here.

Apple updated the OSes for iPhones and iPads this week: iOS 15.3 and iPadOS 15.3, respectively.

The most important fix addressed a security issue with WebKit. A MacRumors piece detailed the issue a couple of weeks ago, noting a bug in “WebKit’s implementation of a JavaScript API called IndexedDB”. The potential impact is fairly serious, the article says, since:

The bug allows any website that uses IndexedDB to access the names of IndexedDB databases generated by other websites during a user’s browsing session. The bug could allow one website to track other websites the user visits in different tabs or windows, as the database names are often unique and specific to each website. 

iOS 15.3 and iPadOS 15.3 patch this vulnerability.

They also address a security issue with IOMobileFrameBuffer. Apple’s release notes say that this flaw “may have been actively exploited”; the vulnerability means that “a malicious application may be able to execute arbitrary code with kernel privileges.” 

Serious stuff, and reason enough to run updates for your iPhone and iPad today!

macOS updates

Apple has also released security updates for different versions of macOS. 

The most current version of macOS has been updated to macOS Monterey 12.2. The update addresses the IndexedDB and IOMobileFrameBuffer issues discussed above — as well as 11 other security vulnerabilities.

Mac users who are still on Big Sur or Catalina both get an update for Safari: the Apple web browser has been updated to Safari 15.3. There are four security fixes there, including the big one: the IndexedDB data leak issue.

Big Sur users get an OS update: macOS Big Sur 11.6.3, which fixes seven security flaws.

And last but not least, Catalina users also received a full security update: Security Update 2022-001 Catalina. That update addresses an additional five security issues.

watchOS, tvOS, and HomePod

Apple released updates for its other OSes as well.

watchOS is now updated to watchOS 8.4. It contains eight security patches — and a UX bug fix as well: the update solves a problem that some Apple Watch users were experiencing when charging their devices with third-party chargers.

Rounding out this edition of Apple updates, tvOS and the software for HomePod were both moved to version 15.3. There were nine security issues addressed in the tvOS release. There’s not much else to mention here, other than the addition of multi-user support for HomePod in India and Italy. 

Sharing security knowledge

On past shows, we’ve touched on the issue of how to talk to family and friends about security issues.

We know that it can feel a bit strange to be doing this. Many of us who are interested in learning more about cybersecurity don’t feel like experts, or like we’re qualified to be giving out advice to others.

But it’s important to remember that if you follow The Checklist, you’re already more knowledgeable about computer security issues than a lot of people. And sharing the knowledge that you do have can help keep your friends and family safe. 

With that in mind, let’s talk about a couple of things that you should definitely share with people in your life this week!

AirTag security for Android users

First up, AirTag. Apple’s tracking device for personal belongings has been on our radar ever since it came out — mainly because of the potential for misuse by bad guys. After all, if AirTag can be used to track a thing, then it can be used to track a person.

We discussed these issues extensively on Checklist 227: Playing AirTag (including what to do if you find a rogue AirTag tracking you).

This week, Apple updated its Personal Safety User Guide to include a section dedicated to AirTag. It explains how to use Apple’s system of iOS alerts that let you know if somebody else’s AirTag is traveling with you.

However, that system really only works if you have an iPhone. For this reason, we’ve always been a bit worried about Android users. And that’s a lot of people: they make up about three-fourths of all mobile device users worldwide.

Share this app!

OK, so this is where the sharing part comes in: If you know someone who has an Android smartphone, and who is concerned about AirTag and privacy, let them know that they now have a way to receive Apple’s AirTag warnings right on their Android device!

Apple has released an Android app called Tracker Detect in the Google Play Store. Apple explains how it works:

Tracker Detect looks for item trackers within Bluetooth range that are separated from their owner and that are compatible with Apple’s Find My network. These include AirTag and compatible item trackers that use the Find My network. If you think someone is using an AirTag or another item tracker to track your location, you can scan to try to find it. If the app detects an AirTag or compatible item tracker near you for at least 10 minutes, you can play a sound to help locate it.

So you have Android users in your life, please take a second to tell them about this tool today!

General security for Apple users

Unsurprisingly, Apple’s Personal Safety User guide is focused on Apple users and Apple devices. And there’s a wealth of information there. A MacRumors report says that the guide includes such topics as “controlling who can access your location, blocking unknown sign-in attempts, avoiding fraudulent requests to share info, setting up two-factor authentication, managing privacy settings, and more.” 

Apple also has a section in its online guide that contains three key checklists for personal safety:

If you’ve listened to The Checklist for a while, a lot of this stuff will already be familiar to you. However, it will most likely be new information to many, many everyday Apple users who don’t follow security podcasts! So please share these checklists from Apple’s website with anyone in your life who might be able to learn from them. It only takes a minute, and it can help to keep them safe.

Have a security and privacy question for us to answer on a future edition of The Checklist? Please write to us!

Join our mailing list for the latest security news and deals