Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

MacRumors

macrumors bot
Original poster
Apr 12, 2001
63,290
30,375



Notable computer security researcher Kristin Paget, who worked on Apple's security team before leaving for Tesla in early 2014, has taken to her blog (via Ars Technica) to criticize Apple for fixing more than a dozen security flaws in iOS weeks after patching them in OS X.

mavericksios7.jpg
iOS 7.1.1, released yesterday, patched multiple WebKit vulnerabilities that were initially fixed in OS X with the release of Safari 7.0.3 on April 1. The delay between fixes, says Paget, alerted hackers to serious flaws potentially exploitable on Apple's mobile operating system and then gave hackers ample time to exploit the vulnerabilities.
Is this how you do business? Drop a patch for one product that quite literally lists out, in order, the security vulnerabilities in your platform, and then fail to patch those weaknesses on your other range of products for weeks afterwards? You really don't see anything wrong with this?

Someone tell me I'm not crazy here. Apple preaches the virtues of having the same kernel (and a bunch of other operating system goop) shared between two platforms - but then only patches those platforms one at a time, leaving the entire userbase of the other platform exposed to known security vulnerabilities for weeks at a time?
Addressing Apple, Paget goes on to write that Apple needs to sit in front of a chalkboard and write out "I will not use iOS to drop 0day on OSX, nor use OSX to drop 0day on iOS."

In addition to the WebKit vulnerabilities that were patched out of sync, Apple also recently exposed a major OS X flaw when patching the same flaw in iOS. Back in February, with the release of iOS 7.0.6, a major SSL connection verification vulnerability came to light. Known as the "goto fail" bug, it left iOS and OS X users vulnerable to man-in-the-middle attacks where hackers could pose as a trusted website to intercept communications or acquire sensitive information.

Apple launched iOS 7.0.6 on a Friday, fixing the vulnerability on iOS but leaving OS X users vulnerable to attack until the following Tuesday, when it released OS X 10.9.2 to patch the security flaw.

Article Link: Apple Leaves Users Vulnerable By Not Fixing iOS and OS X Security Issues Simultaneously
 

Razeus

macrumors 603
Jul 11, 2008
5,348
2,030
I'm still of the belief that Apple simply doesn't have enough software people to do all the things they need to do. Hence why it takes them so long to fix stuff. Well, at least not in a way that will affect their margins.
 

Sky Blue

Guest
Jan 8, 2005
6,856
11
Did iOS 7.1.1 and the recent Lion/ML/Mavericks Security Updates fix the same security issues? They both dropped yesterday, so maybe they've learnt their lesson.
 

east85

macrumors 65816
Jun 24, 2010
1,343
495
I'm still of the belief that Apple simply doesn't have enough software people to do all the things they need to do. Hence why it takes them so long to fix stuff. Well, at least not in a way that will affect their margins.

If this is a problem they can simply hire more talented software developers. You know, it's not like they don't have oodles of money.
 

arn

macrumors god
Staff member
Apr 9, 2001
16,362
5,795
No company is perfect, and honestly, they're all pretty much the same.

I don't think you read the article.

Did iOS 7.1.1 and the recent Lion/ML/Mavericks Security Updates fix the same security issues? They both dropped yesterday, so maybe they've learnt their lesson.

I don't think you read the article.

arn
 

gpsouza

macrumors 6502
Jan 1, 2012
380
79
Lisbon
First off, the number of people who uses iOS is (by my guesses) much larger than OSX, so, not fixing it at the same time is leaving a larger number of people unprotected.

And, the way that OSX works it's different. Mac has a lot of variation, and a wider lifespan, leaving it complicated to fix it everywhere.

But that's just my opinion.
 

Traverse

macrumors 604
Mar 11, 2013
7,688
4,399
Here
I would rather them push out updates as soon as they are ready. Not wait for the other OS to catchup.
 

mrxak

macrumors 68000
If I had to guess, this is probably a case of one hand not talking to the other. Apple is notorious for their secrecy, even between departments. Maybe the iOS coders only found out about the vulnerabilities when they read the OS X patch notes?
 

gpsouza

macrumors 6502
Jan 1, 2012
380
79
Lisbon
Also, I would love to see the news APPLE LEAVES IOS 7 DAYS UNFIXED AND MILLIONS OF USERS HAS THEIR DATA STOLEN JUST BECAUSE APPLE WAITED TO FIX OSX TOO
 

scbn

macrumors 6502
Jul 25, 2010
272
22
Well, on the other hand, I don't like the Microsoft's approach, releasing security fixes a dozen times a week.
 

Digital Skunk

macrumors G3
Dec 23, 2006
8,096
916
In my imagination
I don't think you read the article.



I don't think you read the article.

arn

Why would they, they're just going to run in here to Apple's rescue and claim that poor Apple doesn't have the resources to fix that much code, when in the article it mentions that the kernal is about the same, and fixing the flaws would take almost no time at all and no weeks.

I am surprised that it's OSX first then iOS and not the other way around.

Still, I agree with the poster that said no company is perfect. Apple Retail (the only paid Apple experience I care to have) was FULL of idiots that let thousands of dollars in hardware and property go missing.

Those naysayers that claimed it's time for Apple users to get anti-virus and other forms of protection may have been right after all.
 

badams002

macrumors member
Mar 28, 2013
43
0
TX
I would rather them push out updates as soon as they are ready. Not wait for the other OS to catchup.

I agree, but I believe her point is that they should not publish those vulnerabilities if they are not going to do both at the same time. Otherwise, you are leaving the other platform at major risk.
 

arian19

macrumors demi-god
Jul 9, 2008
369
62
Arn, I think the second paragraph needs to be included in the quote.

The following is definitely a quote:

Someone tell me I'm not crazy here. Apple preaches the virtues of having the same kernel (and a bunch of other operating system goop) shared between two platforms - but then only patches those platforms one at a time, leaving the entire user base of the other platform exposed to known security vulnerabilities for weeks at a time?
 

bsolar

macrumors 68000
Jun 20, 2011
1,525
1,716
Did iOS 7.1.1 and the recent Lion/ML/Mavericks Security Updates fix the same security issues? They both dropped yesterday, so maybe they've learnt their lesson.

Safari 7.0.3 was already released 2 weeks ago.
 

arn

macrumors god
Staff member
Apr 9, 2001
16,362
5,795
I would rather them push out updates as soon as they are ready. Not wait for the other OS to catchup.

You have a critical security bug on your iPhone.

Option 1: Apple tells the world about the security bug, and how to exploit it, but doesn't fix it for 1-3 weeks.

Option 2: Apple tells the world about the security bug at the moment they fix it.

Which would you prefer? Right now Apple's doing option #1.

arn
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.