Apple Leaves Users Vulnerable By Not Fixing iOS and OS X Security Issues Simultaneously

Discussion in 'MacRumors.com News Discussion' started by MacRumors, Apr 23, 2014.

  1. macrumors bot

    MacRumors

    Joined:
    Apr 12, 2001
    #1
    [​IMG]


    Notable computer security researcher Kristin Paget, who worked on Apple's security team before leaving for Tesla in early 2014, has taken to her blog (via Ars Technica) to criticize Apple for fixing more than a dozen security flaws in iOS weeks after patching them in OS X.

    [​IMG]
    iOS 7.1.1, released yesterday, patched multiple WebKit vulnerabilities that were initially fixed in OS X with the release of Safari 7.0.3 on April 1. The delay between fixes, says Paget, alerted hackers to serious flaws potentially exploitable on Apple's mobile operating system and then gave hackers ample time to exploit the vulnerabilities.
    Addressing Apple, Paget goes on to write that Apple needs to sit in front of a chalkboard and write out "I will not use iOS to drop 0day on OSX, nor use OSX to drop 0day on iOS."

    In addition to the WebKit vulnerabilities that were patched out of sync, Apple also recently exposed a major OS X flaw when patching the same flaw in iOS. Back in February, with the release of iOS 7.0.6, a major SSL connection verification vulnerability came to light. Known as the "goto fail" bug, it left iOS and OS X users vulnerable to man-in-the-middle attacks where hackers could pose as a trusted website to intercept communications or acquire sensitive information.

    Apple launched iOS 7.0.6 on a Friday, fixing the vulnerability on iOS but leaving OS X users vulnerable to attack until the following Tuesday, when it released OS X 10.9.2 to patch the security flaw.

    Article Link: Apple Leaves Users Vulnerable By Not Fixing iOS and OS X Security Issues Simultaneously
     
  2. macrumors 68040

    Goldfrapp

    Joined:
    Jul 31, 2005
    #2
    No company is perfect, and honestly, they're all pretty much the same.
     
  3. Guest

    keterboy

    Joined:
    Jan 22, 2014
    Location:
    Earth's Core
  4. macrumors 601

    Joined:
    Jul 11, 2008
    #4
    I'm still of the belief that Apple simply doesn't have enough software people to do all the things they need to do. Hence why it takes them so long to fix stuff. Well, at least not in a way that will affect their margins.
     
  5. macrumors 65816

    east85

    Joined:
    Jun 24, 2010
  6. Guest

    Sky Blue

    Joined:
    Jan 8, 2005
    #6
    Did iOS 7.1.1 and the recent Lion/ML/Mavericks Security Updates fix the same security issues? They both dropped yesterday, so maybe they've learnt their lesson.
     
  7. macrumors 65816

    east85

    Joined:
    Jun 24, 2010
    #7
    If this is a problem they can simply hire more talented software developers. You know, it's not like they don't have oodles of money.
     
  8. macrumors member

    Joined:
    Jan 6, 2010
    #8
    We all make mistakes

    Apple should also start building cars that explode on impact. Oh wait...
     
  9. arn
    macrumors god

    arn

    Staff Member

    Joined:
    Apr 9, 2001
    #9
    I don't think you read the article.

    I don't think you read the article.

    arn
     
  10. macrumors 6502

    gpsouza

    Joined:
    Jan 1, 2012
    Location:
    Lisbon
    #10
    First off, the number of people who uses iOS is (by my guesses) much larger than OSX, so, not fixing it at the same time is leaving a larger number of people unprotected.

    And, the way that OSX works it's different. Mac has a lot of variation, and a wider lifespan, leaving it complicated to fix it everywhere.

    But that's just my opinion.
     
  11. macrumors 601

    Traverse

    Joined:
    Mar 11, 2013
    Location:
    Here
    #11
    I would rather them push out updates as soon as they are ready. Not wait for the other OS to catchup.
     
  12. macrumors 65816

    Joined:
    Apr 16, 2004
    Location:
    Drifting through space in a broken escape pod
    #12
    If I had to guess, this is probably a case of one hand not talking to the other. Apple is notorious for their secrecy, even between departments. Maybe the iOS coders only found out about the vulnerabilities when they read the OS X patch notes?
     
  13. macrumors regular

    mdridwan47

    Joined:
    Jan 20, 2014
  14. macrumors 6502

    gpsouza

    Joined:
    Jan 1, 2012
    Location:
    Lisbon
    #14
    Also, I would love to see the news APPLE LEAVES IOS 7 DAYS UNFIXED AND MILLIONS OF USERS HAS THEIR DATA STOLEN JUST BECAUSE APPLE WAITED TO FIX OSX TOO
     
  15. macrumors G5

    Rogifan

    Joined:
    Nov 14, 2011
    #15
    Wow, why didn't Tim Cook think of this?!
     
  16. macrumors 6502

    Joined:
    May 3, 2011
    Location:
    Upper Midwest
    #16
    But not if the one patch alerts baddies to the same unpatched vulnerability on the other platform, creating a 0day for your other platform.
     
  17. macrumors 6502

    scbn

    Joined:
    Jul 25, 2010
    #17
    Well, on the other hand, I don't like the Microsoft's approach, releasing security fixes a dozen times a week.
     
  18. macrumors member

    gjvon

    Joined:
    Jul 2, 2012
    Location:
    Houston, Texas (Born and raised a Texan)
    #18
    What a pointless article. This person seriously said "Apple needs to do this."
    Lol I am assuming they work at Apple.
     
  19. macrumors 604

    Digital Skunk

    Joined:
    Dec 23, 2006
    Location:
    In my imagination
    #19
    Why would they, they're just going to run in here to Apple's rescue and claim that poor Apple doesn't have the resources to fix that much code, when in the article it mentions that the kernal is about the same, and fixing the flaws would take almost no time at all and no weeks.

    I am surprised that it's OSX first then iOS and not the other way around.

    Still, I agree with the poster that said no company is perfect. Apple Retail (the only paid Apple experience I care to have) was FULL of idiots that let thousands of dollars in hardware and property go missing.

    Those naysayers that claimed it's time for Apple users to get anti-virus and other forms of protection may have been right after all.
     
  20. macrumors member

    Joined:
    Mar 28, 2013
    Location:
    TX
    #20
    I agree, but I believe her point is that they should not publish those vulnerabilities if they are not going to do both at the same time. Otherwise, you are leaving the other platform at major risk.
     
  21. macrumors 6502

    christarp

    Joined:
    Oct 29, 2013
    #21
    What a terrible attempt at trolling.
     
  22. macrumors 6502

    Joined:
    Jul 9, 2008
    #22
    Arn, I think the second paragraph needs to be included in the quote.

    The following is definitely a quote:

     
  23. macrumors 6502a

    Joined:
    Jun 20, 2011
    #23
    Safari 7.0.3 was already released 2 weeks ago.
     
  24. arn
    macrumors god

    arn

    Staff Member

    Joined:
    Apr 9, 2001
    #24
    You have a critical security bug on your iPhone.

    Option 1: Apple tells the world about the security bug, and how to exploit it, but doesn't fix it for 1-3 weeks.

    Option 2: Apple tells the world about the security bug at the moment they fix it.

    Which would you prefer? Right now Apple's doing option #1.

    arn
     
  25. macrumors member

    gjvon

    Joined:
    Jul 2, 2012
    Location:
    Houston, Texas (Born and raised a Texan)
    #25
    Or maybe they are working to find a fix. Not as simple as these "writers" believe. There is an art behind software engineering.
     

Share This Page