Register FAQ / Rules Forum Spy Search Today's Posts Mark Forums Read
Go Back   MacRumors Forums > News and Article Discussion > MacRumors.com News Discussion

Reply
 
Thread Tools Search this Thread Display Modes
Old Apr 23, 2014, 02:34 PM   #1
MacRumors
macrumors bot
 
Join Date: Apr 2001
Apple Leaves Users Vulnerable By Not Fixing iOS and OS X Security Issues Simultaneously




Notable computer security researcher Kristin Paget, who worked on Apple's security team before leaving for Tesla in early 2014, has taken to her blog (via Ars Technica) to criticize Apple for fixing more than a dozen security flaws in iOS weeks after patching them in OS X.

iOS 7.1.1, released yesterday, patched multiple WebKit vulnerabilities that were initially fixed in OS X with the release of Safari 7.0.3 on April 1. The delay between fixes, says Paget, alerted hackers to serious flaws potentially exploitable on Apple's mobile operating system and then gave hackers ample time to exploit the vulnerabilities.
Quote:
Is this how you do business? Drop a patch for one product that quite literally lists out, in order, the security vulnerabilities in your platform, and then fail to patch those weaknesses on your other range of products for weeks afterwards? You really don't see anything wrong with this?

Someone tell me I'm not crazy here. Apple preaches the virtues of having the same kernel (and a bunch of other operating system goop) shared between two platforms - but then only patches those platforms one at a time, leaving the entire userbase of the other platform exposed to known security vulnerabilities for weeks at a time?
Addressing Apple, Paget goes on to write that Apple needs to sit in front of a chalkboard and write out "I will not use iOS to drop 0day on OSX, nor use OSX to drop 0day on iOS."

In addition to the WebKit vulnerabilities that were patched out of sync, Apple also recently exposed a major OS X flaw when patching the same flaw in iOS. Back in February, with the release of iOS 7.0.6, a major SSL connection verification vulnerability came to light. Known as the "goto fail" bug, it left iOS and OS X users vulnerable to man-in-the-middle attacks where hackers could pose as a trusted website to intercept communications or acquire sensitive information.

Apple launched iOS 7.0.6 on a Friday, fixing the vulnerability on iOS but leaving OS X users vulnerable to attack until the following Tuesday, when it released OS X 10.9.2 to patch the security flaw.

Article Link: Apple Leaves Users Vulnerable By Not Fixing iOS and OS X Security Issues Simultaneously
MacRumors is offline   2 Reply With Quote
Old Apr 23, 2014, 02:35 PM   #2
PBF
macrumors 68030
 
Join Date: Jul 2005
Location: NYC
No company is perfect, and honestly, they're all pretty much the same.
PBF is offline   5 Reply With Quote
Old Apr 23, 2014, 02:35 PM   #3
keterboy
macrumors regular
 
Join Date: Jan 2014
Location: Earth's Core
OMG, Apple! How could you?!!
keterboy is offline   2 Reply With Quote
Old Apr 23, 2014, 02:36 PM   #4
Razeus
macrumors 68040
 
Join Date: Jul 2008
I'm still of the belief that Apple simply doesn't have enough software people to do all the things they need to do. Hence why it takes them so long to fix stuff. Well, at least not in a way that will affect their margins.
__________________

Website, Pictures & Tweets
Razeus is offline   10 Reply With Quote
Old Apr 23, 2014, 02:37 PM   #5
east85
macrumors 6502a
 
east85's Avatar
 
Join Date: Jun 2010
Send a message via AIM to east85
Bureaucracy strikes again!

Fair concern.
__________________
13.3" MacBook Aluminum | 2.4GHz | 8GB RAM | 128GB SSD | OS X 10.9
iPad Mini | 16GB | Slate | iOS 7
east85 is offline   9 Reply With Quote
Old Apr 23, 2014, 02:37 PM   #6
Sky Blue
Guest
 
Join Date: Jan 2005
Did iOS 7.1.1 and the recent Lion/ML/Mavericks Security Updates fix the same security issues? They both dropped yesterday, so maybe they've learnt their lesson.
Sky Blue is offline   2 Reply With Quote
Old Apr 23, 2014, 02:38 PM   #7
east85
macrumors 6502a
 
east85's Avatar
 
Join Date: Jun 2010
Send a message via AIM to east85
Quote:
Originally Posted by Razeus View Post
I'm still of the belief that Apple simply doesn't have enough software people to do all the things they need to do. Hence why it takes them so long to fix stuff. Well, at least not in a way that will affect their margins.
If this is a problem they can simply hire more talented software developers. You know, it's not like they don't have oodles of money.
__________________
13.3" MacBook Aluminum | 2.4GHz | 8GB RAM | 128GB SSD | OS X 10.9
iPad Mini | 16GB | Slate | iOS 7
east85 is offline   4 Reply With Quote
Old Apr 23, 2014, 02:38 PM   #8
Art Mark
macrumors member
 
Join Date: Jan 2010
We all make mistakes

Apple should also start building cars that explode on impact. Oh wait...
Art Mark is offline   1 Reply With Quote
Old Apr 23, 2014, 02:38 PM   #9
arn
macrumors god
 
arn's Avatar
 
Join Date: Apr 2001
Send a message via AIM to arn
Quote:
Originally Posted by PBF View Post
No company is perfect, and honestly, they're all pretty much the same.
I don't think you read the article.

Quote:
Originally Posted by Sky Blue View Post
Did iOS 7.1.1 and the recent Lion/ML/Mavericks Security Updates fix the same security issues? They both dropped yesterday, so maybe they've learnt their lesson.
I don't think you read the article.

arn
arn is offline   25 Reply With Quote
Old Apr 23, 2014, 02:39 PM   #10
gpsouza
macrumors 6502
 
Join Date: Jan 2012
Location: Lisbon
First off, the number of people who uses iOS is (by my guesses) much larger than OSX, so, not fixing it at the same time is leaving a larger number of people unprotected.

And, the way that OSX works it's different. Mac has a lot of variation, and a wider lifespan, leaving it complicated to fix it everywhere.

But that's just my opinion.
__________________
MBP 8gb ram 120 SSD iPad 3 32gb Wifi iPhone 5 16gb iPod Nano 6/7 gen
gpsouza is offline   0 Reply With Quote
Old Apr 23, 2014, 02:39 PM   #11
Traverse
macrumors 65816
 
Traverse's Avatar
 
Join Date: Mar 2013
Location: My Own World
I would rather them push out updates as soon as they are ready. Not wait for the other OS to catchup.
Traverse is offline   6 Reply With Quote
Old Apr 23, 2014, 02:41 PM   #12
mrxak
macrumors 65816
 
Join Date: Apr 2004
Location: Drifting through space in a broken escape pod
If I had to guess, this is probably a case of one hand not talking to the other. Apple is notorious for their secrecy, even between departments. Maybe the iOS coders only found out about the vulnerabilities when they read the OS X patch notes?
__________________
Phones Will Kill You
mrxak is offline   4 Reply With Quote
Old Apr 23, 2014, 02:41 PM   #13
mdridwan47
macrumors regular
 
Join Date: Jan 2014
Dammit Apple!

mdridwan47 is offline   15 Reply With Quote
Old Apr 23, 2014, 02:41 PM   #14
gpsouza
macrumors 6502
 
Join Date: Jan 2012
Location: Lisbon
Also, I would love to see the news APPLE LEAVES IOS 7 DAYS UNFIXED AND MILLIONS OF USERS HAS THEIR DATA STOLEN JUST BECAUSE APPLE WAITED TO FIX OSX TOO
__________________
MBP 8gb ram 120 SSD iPad 3 32gb Wifi iPhone 5 16gb iPod Nano 6/7 gen
gpsouza is offline   5 Reply With Quote
Old Apr 23, 2014, 02:42 PM   #15
Rogifan
macrumors G3
 
Rogifan's Avatar
 
Join Date: Nov 2011
Quote:
Originally Posted by east85 View Post
If this is a problem they can simply hire more talented software developers. You know, it's not like they don't have oodles of money.
Wow, why didn't Tim Cook think of this?!
__________________
"I have a very optimistic view of individuals. As individuals, people are inherently good. I have a somewhat more pessimistic view of people in groups." -- Steve Jobs , Wired interview
Rogifan is offline   2 Reply With Quote
Old Apr 23, 2014, 02:44 PM   #16
iMerik
macrumors 6502
 
Join Date: May 2011
Quote:
Originally Posted by Traverse View Post
I would rather them push out updates as soon as they are ready. Not wait for the other OS to catch up.
But not if the one patch alerts baddies to the same unpatched vulnerability on the other platform, creating a 0day for your other platform.
iMerik is offline   16 Reply With Quote
Old Apr 23, 2014, 02:44 PM   #17
scbn
macrumors regular
 
Join Date: Jul 2010
Well, on the other hand, I don't like the Microsoft's approach, releasing security fixes a dozen times a week.
scbn is offline   4 Reply With Quote
Old Apr 23, 2014, 02:44 PM   #18
gjvon
macrumors member
 
Join Date: Jul 2012
Location: Houston, Texas (Born and raised a Texan)
 
What a pointless article. This person seriously said "Apple needs to do this."
Lol I am assuming they work at Apple.
__________________
rMACBOOK PRO 15" w/Nvidia 750m - Late 2013
iPhone 5s 32G
gjvon is offline   0 Reply With Quote
Old Apr 23, 2014, 02:45 PM   #19
Digital Skunk
macrumors 604
 
Digital Skunk's Avatar
 
Join Date: Dec 2006
Location: In my imagination
Quote:
Originally Posted by arn View Post
I don't think you read the article.



I don't think you read the article.

arn
Why would they, they're just going to run in here to Apple's rescue and claim that poor Apple doesn't have the resources to fix that much code, when in the article it mentions that the kernal is about the same, and fixing the flaws would take almost no time at all and no weeks.

I am surprised that it's OSX first then iOS and not the other way around.

Still, I agree with the poster that said no company is perfect. Apple Retail (the only paid Apple experience I care to have) was FULL of idiots that let thousands of dollars in hardware and property go missing.

Those naysayers that claimed it's time for Apple users to get anti-virus and other forms of protection may have been right after all.
__________________
What do I have?, stuff that I actually use for work! Some old, some new, all effective.
Digital Skunk is offline   3 Reply With Quote
Old Apr 23, 2014, 02:45 PM   #20
badams002
macrumors member
 
Join Date: Mar 2013
Location: TX
Quote:
Originally Posted by Traverse View Post
I would rather them push out updates as soon as they are ready. Not wait for the other OS to catchup.
I agree, but I believe her point is that they should not publish those vulnerabilities if they are not going to do both at the same time. Otherwise, you are leaving the other platform at major risk.
badams002 is offline   5 Reply With Quote
Old Apr 23, 2014, 02:46 PM   #21
christarp
macrumors regular
 
Join Date: Oct 2013
Quote:
Originally Posted by Art Mark View Post
Apple should also start building cars that explode on impact. Oh wait...
What a terrible attempt at trolling.
christarp is offline   12 Reply With Quote
Old Apr 23, 2014, 02:46 PM   #22
arian19
macrumors regular
 
Join Date: Jul 2008
Arn, I think the second paragraph needs to be included in the quote.

The following is definitely a quote:

Quote:
Someone tell me I'm not crazy here. Apple preaches the virtues of having the same kernel (and a bunch of other operating system goop) shared between two platforms - but then only patches those platforms one at a time, leaving the entire user base of the other platform exposed to known security vulnerabilities for weeks at a time?
arian19 is offline   6 Reply With Quote
Old Apr 23, 2014, 02:47 PM   #23
bsolar
macrumors 6502
 
Join Date: Jun 2011
Quote:
Originally Posted by Sky Blue View Post
Did iOS 7.1.1 and the recent Lion/ML/Mavericks Security Updates fix the same security issues? They both dropped yesterday, so maybe they've learnt their lesson.
Safari 7.0.3 was already released 2 weeks ago.
bsolar is offline   0 Reply With Quote
Old Apr 23, 2014, 02:47 PM   #24
arn
macrumors god
 
arn's Avatar
 
Join Date: Apr 2001
Send a message via AIM to arn
Quote:
Originally Posted by Traverse View Post
I would rather them push out updates as soon as they are ready. Not wait for the other OS to catchup.
You have a critical security bug on your iPhone.

Option 1: Apple tells the world about the security bug, and how to exploit it, but doesn't fix it for 1-3 weeks.

Option 2: Apple tells the world about the security bug at the moment they fix it.

Which would you prefer? Right now Apple's doing option #1.

arn
arn is offline   29 Reply With Quote
Old Apr 23, 2014, 02:47 PM   #25
gjvon
macrumors member
 
Join Date: Jul 2012
Location: Houston, Texas (Born and raised a Texan)
 
Quote:
Originally Posted by badams002 View Post
I agree, but I believe her point is that they should not publish those vulnerabilities if they are not going to do both at the same time. Otherwise, you are leaving the other platform at major risk.
Or maybe they are working to find a fix. Not as simple as these "writers" believe. There is an art behind software engineering.
__________________
rMACBOOK PRO 15" w/Nvidia 750m - Late 2013
iPhone 5s 32G
gjvon is offline   1 Reply With Quote

Reply
MacRumors Forums > News and Article Discussion > MacRumors.com News Discussion

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Similar Threads
thread Thread Starter Forum Replies Last Post
iOS 7 Security Flaw Leaves Stored Email Attachments Unencrypted [Updated] MacRumors MacRumors.com News Discussion 130 May 8, 2014 03:41 PM
Changes in iOS 7 Security Make Kernel More Vulnerable to Attack MacRumors iOS Blog Discussion 44 Apr 29, 2014 03:39 PM
Apple Credits 'Evad3rs' Jailbreak Team for Discovering Security Issues Fixed in iOS 7.1 MacRumors iOS Blog Discussion 36 Mar 21, 2014 10:25 PM
iOS 7 beta users without developer account. What issues do you have? WhiteIphone5 iOS 7 3 Jun 24, 2013 09:07 PM
Major App Store Vulnerability Leaves/Left Users Vulnerable to Password Theft SomeDudeAsking iOS 6 39 Mar 15, 2013 12:44 AM

Forum Jump

All times are GMT -5. The time now is 12:01 AM.

Mac Rumors | Mac | iPhone | iPhone Game Reviews | iPhone Apps

Mobile Version | Fixed | Fluid | Fluid HD
Copyright 2002-2013, MacRumors.com, LLC