Cyber Security News & Tips by Glenda R. Snodgrass for The Net Effect
[ View this email in your web browser ] [ Visit our archives ] [ Sign Up for this Newsletter ]

October 3, 2023

Good morning, everyone!

This week’s critical vulnerabilities:
  • Apple has released so many fixes for zero-days the past few weeks, I've lost count TBH. Just make sure you are running iOS 16.7 or 17.01 (iPhone 14 or older) or 17.02 (iPhone 15 only), WatchOS 9.6.3 or 10.0.1, MacOS 12.7 or 13.6
  • Cisco has released new fixes for IOS and IOS XE software, while CISA issued a warning that Chinese threat actors have been using "stolen or weak administrative credentials” to modify firmware on Cisco routers and using them to access corporate networks (so use good strong passwords and monitor for changes).
  • Google Chrome has been udpated to fix another zero-day (remember to close browser and reopen to install the update)
  • FortiNet has released new critical fixes for FortiOS, FortiProxy, and FortiWeb products

Patch All the Things!



Understanding software version numbers

How many of you read about the Apple updates above and wondered why the numbers go the way they do? Well, I'm gonna explain that this week! (It works the same way for both software and firmware.)

A shorthand explanation I've seen many times is that versioning takes the format X.Y.Z where X=major, Y=minor, and Z=patch. So, in our examples above, Apple recently released iOS 17 with a bunch of new features, some of which only work on the latest hardware. That's the first number in the version, 17, which indicates it's a major upgrade to earlier versions. Then you see we have 17.0.1 and 17.0.2. The 0 in the middle of both of those indicates that we haven't gotten any minor feature additions to iOS 17 just yet. The last number indicates that we have received some patches. iOS 16.7 has some minor feature updates since 16.6.2 and also some patches all rolled into to one update (that's why there is no third number -- patches to 16.7 will cause the release of 16.7.1).

Now that you understand the numbering scheme, why do you care? Well, my rule of thumb is never upgrade to X.0 anything (one exception below). This numbering scheme means it's a brand new, major upgrade with no patches released yet, which most likely has some bugs, and personally *I* don't want to be the one to find them. I always wait for that second number to be 1 at a minimum before upgrading (and I often wait longer than that).

Should you upgrade to 17.1 as soon it's available? Well, again, my rule of thumb is that I only upgrade to a major version if (1) it has some features I want and (2) my device is fairly new so it's not going to become super-slow trying to run firmware it wasn't designed to run. If those two conditions aren't met, I would only do a major upgrade when the version I'm running is no longer supported. Gotta keep getting those security patches!

Finally, if you can't remember the last time you updated a device, and you go look for software/firmware updates on it and find that there are none available, double-check that the version you are running still supported. If it's not supported, and you can't update that device to a supported version, then it's time to replace that device.

Note that not all software follows this versioning scheme. There are a couple of other common schemes to be aware of, and I'll address those in a future newsletter.

October is Cybersecurity Awareness Month

And CISA has developed some resources to raise awareness and assist in employee training. You will probably recognize their "Four Easy Ways to Stay Safe Online" -- read and share.

Stay cyber safe this week!

Remember, you can read past editions of this newsletter on our website, along with tons more information under the Resources tab.

Have a great week!

Glenda R. Snodgrass

Glenda R. Snodgrass
grs@theneteffect.com
(251) 433-0196 x107
https://www.theneteffect.com
For information security news & tips, follow me!



Security Awareness Training Available Here, There, Everywhere!

Thanks to COVID-19, lots of things went virtual, including my employee Security Awareness Training. Live training made a comeback a few months ago, but many organizations are retreating. No worries. Wherever you and your employees may be, I can deliver an interesting and informative training session in whatever format you prefer.

Contact me to schedule your employee training sessions. They're fun! ☺

TNE. Cybersecurity. Possible.

Speak with an Expert

Contact

The Net Effect, L.L.C.
Post Office Box 885
Mobile, Alabama 36601-0885 (US)
phone: (251) 433-0196
fax: (251) 433-5371
email: sales at theneteffect dot com
Secure Payment Center

The Net Effect, LLC

Copyright 1996-2024 The Net Effect, L.L.C. All rights reserved. Read our privacy policy