Earlier this month, a security researcher discovered a vulnerability in the new IOS 13 operating system. Unfortunately, new iPhone 11s were already loaded and packaged with IOS 13 prior to shipment. Users will receive their new iPhones with a vulnerability that could allow access to stored contact information. Fortunately, the vulnerability isn’t very serious, requiring a quite convoluted attack procedure which is highly unlikely to occur.
On the second Tuesday of this month, Microsoft released 80 security updates on so-called “Patch Tuesday.” Apparently so many security updates are required that we need a special day each month to celebrate the patches. Anyway, two of the vulnerabilities patched were so-called zero-days, vulnerabilities that had been used by criminals before being discovered and fixed by Microsoft. On the second Tuesday last month (August 2019), Microsoft released 93 security updates on “Patch Tuesday.” Twenty-nine of those vulnerabilities were considered “critical.” A month earlier (July 2019) it was reported that a Microsoft Windows zero-day exploit was used to attack several government institutions in Eastern Europe in June 2019.
These news items should not be shocking, or even mildly surprising, to anyone in the security space. Software vulnerabilities exist everywhere, whether we know about them or they remain hidden. I’ll go out on a [very small] limb here and say that every application has undiscovered (zero-day) vulnerabilities – those that have been discovered by cybercriminals but have not been discovered and patched by the application author.
As much as security professionals warn of these types of vulnerabilities, many companies continue to rely on operating systems and applications for security. Because any operating system and application may (and most likely does) have unknown vulnerabilities being exploited by cybercriminals, security professionals always recommend a layered security approach. Breaching one system is difficult, but not impossible. Breaching several systems simultaneously is much more challenging and much less likely. Security layers should come from different sources as vulnerabilities often permeate a provider’s offerings through code reuse.
To go a step further, infrastructure and application providers are, understandably, far more focused on performance and usability of their software than on security. They’re under continuous pressure to develop new features and performance improvements and simply cannot focus on security to the same level as a firm dedicated to security technologies. Infrastructure and application developers mean well, but you know what they say about best intentions. Identity is the front gate to any cloud service and should always be on a different technology stack than the infrastructure providers (Microsoft, Apple, etc.).