Comment: The Catch-22 position Apple is in regarding the iOS 9.3.5 security fix


One of the major benefits of Apple’s ecosystem is that it’s a pretty secure environment. Take OS X (soon to be macOS). The first ever example of OS X ransomware seen in the wild was earlier this year, when it was major news. Other Mac malware exists, but it’s rare enough that individual examples make the news – and most of those require users to do something irresponsible, like install software from an unknown source.

Contrast that with Windows, where the BBC reported that the number of viruses, worms and trojans in circulation topped the one million mark as long ago as 2008. That may be somewhat exaggerated, but most sources agree that the number is in six figures.

iOS is an even more secure platform. Sure, if you jailbreak an iPhone, all bets are off, and there are ways to install sketchy apps on iOS devices using an enterprise certificate. But absent those two things, it wasn’t until this year that the first example of iOS malware was found …

Author Ad Placeholder
Will only appear on redesign env.

None of which means that iOS is perfect. Any system created by human beings will have security flaws, and these exist in iOS. It’s through an undocumented flaw – a ‘zero-day vulnerability’ – that a private company was able to break into the San Bernardino iPhone for the FBI, and it’s why black-hat companies will outbid Apple in trying to get their hands on them.

But the vast majority of flaws discovered in iOS are rather innocuous, providing very limited access in very specific circumstances. In most cases, a white-hat security researcher will discover one, report it to Apple, then wait for the company to issue an updated version of iOS to fix it before sharing the details with the world.

Occasionally, however, a very serious flaw will be discovered – and that’s what’s happened here. The vulnerability fixed in iOS 9.3.5 concerned a hole so serious that merely clicking on a link would give attackers full control of an iPhone. Effectively, it was a way to jailbreak someone’s iPhone remotely, without them being aware of the fact. It doesn’t get any more serious than that.


And yet almost no non-techies are aware of the issue. Most iPhone and iPad users are still running whatever the latest version of iOS was last time they could be bothered to upgrade. No one has tapped them on the shoulder and said ‘Hey, I know most iOS dot releases are no big deal to you, but this one really is.’

Apple has been remarkably quiet about the issue. Sure, it described it as ‘an important security update,’ but even the security note later added to its support site doesn’t exactly shout about it. The most serious of the three issues fixed is listed last, with a simple line reading: ‘Visiting a maliciously crafted website may lead to arbitrary code execution.’

It would be easy to accuse Apple of putting PR above the security of its customers by not making much effort to stress the importance of the update, and to bring it to the attention of non-tech customers. But the reality here is that Apple is in a no-win situation.

The Catch-22 is this. While hardly anyone knows about the vulnerability, that includes the bad guys who would otherwise be exploiting it. If Apple shouts about it, then customers will learn of it – and many will update promptly – but so will the bad guys, who will rush to take advantage of it.

One could argue either side of the case, to demonstrate that Apple’s approach is either right or wrong depending on your perspective. But there is no easy answer. Both approaches have risks. Keep quiet, and more customers will be at risk until they update; make a fuss, and more criminals and sketchy governments will exploit the flaw.


If you come down on the side of it being better to keep things quiet, you can also argue that I shouldn’t have written this piece. But my view is that, by this point, enough of those specifically looking out for iOS vulnerabilities – the people we don’t want to know about it – already do. The people who don’t are the non-tech iPhone owners who are lax in their updates.

So, if you haven’t already updated, do (or the latest iOS 10 beta is fine too). And do your non-tech friends a favor and make sure they do too. This genie is out of the bottle.

Photos: iUpdateOS;; EverythingApplePro. This piece was promoted by a discussion between Zac Hall and Greg Barbosa.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel



Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!

Ben Lovejoy's favorite gear