Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Apple Leaves Users Vulnerable By Not Fixing iOS and OS X Security Issues Simultaneously

Traverse said:
I would rather them push out updates as soon as they are ready. Not wait for the other OS to catchup.
Click to expand...

Missing the point. The question is, why does it take weeks for the other OS to catch up? No one says they should hold off one for the other, but they darn well should fix both of them at the same time ASAP, especially since they highlight the vulnerabilities fixed in one in the release notes leaving the other in an even more compromised position.

It's like saying: Hey I have two houses, I realized both have windows that don't lock properly but I fixed one of them, hackers. I will fix the other one in a few weeks time. Play nice.
 
gpsouza said:
First off, the number of people who uses iOS is (by my guesses) much larger than OSX, so, not fixing it at the same time is leaving a larger number of people unprotected.
Click to expand...
Tiger8 said:
Missing the point. The question is, why does it take weeks for the other OS to catch up?
Click to expand...
AFAIK, phone carriers still test iOS updates before they're made available to the public. That's got to add some amount of days worth of delay, compared to OS X updates.
 
the article is not pointless. Even if a company can't be perfect (obvious), stuff like this should be pointed out and discussed as it is a major security issue.

I recall past Macrumors articles where staff was pulled from OS X to finish up a version of iOS, it really feels like Apple should hire more software people. But I admit I'm ignorant to how many people actually work at Apple on stuff like this.
 
I wouldn't be surprised to see this if Forstall was still in charge of iOS and Federighi running OS X.
But since Federighi has been in charge of both for a year and half, I would expect him to coordinate the security updates for different products better. Perhaps the "increased collaboration" between teams (as Tim Cook said) still has a lot of ways for improvement.
 
Aren't all of these vulnerabilities already public with a CVE ID before Apple patches them on any platform?
 
aristobrat said:
AFAIK, phone carriers still test iOS updates before they're made available to the public. That's got to add some amount of days worth of delay, compared to OS X updates.
Click to expand...

I thought that was one of the reasons why iOS was preferred? Because the carrier doesn't have to do anything with the updates and users get them as soon as they are ready.

What if Sprint took 4EVER to go over an iOS update while the rest were ready to go?
 
I would've agreed, except

mrxak said:
If I had to guess, this is probably a case of one hand not talking to the other. Apple is notorious for their secrecy, even between departments. Maybe the iOS coders only found out about the vulnerabilities when they read the OS X patch notes?
Click to expand...

Seems likely, but then again, both iOS and OS X are now under Craig's control. I think it's more likely that they patch it on one platform, push it out, and realize that the way they wrote the code won't be good for x86 or ARM, depending on which they started on. It seems weird, considering they'd probably not work with that low level code, but who knows? I strongly expect their turnaround time to improve a lot though.
 
Good point. Better--in fact necessary!--to hold off just a bit and release together.

Let's see what Apple does next time: this is something that really CAN be fixed instantly--a mere policy change.
 
arn said:
You have a critical security bug on your iPhone.

Option 1: Apple tells the world about the security bug, and how to exploit it, but doesn't fix it for 1-3 weeks.

Option 2: Apple tells the world about the security bug at the moment they fix it.

Which would you prefer? Right now Apple's doing option #1.

arn
Click to expand...

Do you really, REALLY think that only apple knows about it? How many hackers do that for a living?
 
This is disappointing considering how much Apple toots its own trumpet when it comes to security.
 
gpsouza said:
Do you really, REALLY think that only apple knows about it? How many hackers do that for a living?
Click to expand...

It doesn't negate the two options. There's still a difference between some hackers knowing about it and Apple publicizing it.

arn
 
Digital Skunk said:
I thought that was one of the reasons why iOS was preferred? Because the carrier doesn't have to do anything with the updates and users get them as soon as they are ready.

What if Sprint took 4EVER to go over an iOS update while the rest were ready to go?
Click to expand...
AFAIK, the carriers don't get the option to customize iOS updates (like they do with most other smartphone OSs), but they still are required to test them.

iOS 6.0.1 reportedly in carrier testing, could make its way to users soon
BGR: Apple seeding iOS 7.1 Beta 4 to devs tomorrow, carriers already testing it
Why Do Carriers Delay Updates for Android But Not iPhone?
 
east85 said:
If this is a problem they can simply hire more talented software developers. You know, it's not like they don't have oodles of money.
Click to expand...

Numerous articles interviewing different insiders have indicated that Apple runs things like a startup. They're trying to stay nimble and focused but that's hard to do when you keep adding more products and volume sold.

--

Is it at all possible that Apple knew that some hackers were already exploiting this vulnerability so they decided to patch it where they could? Perhaps they shouldn't have told what they were patching until later—or is that apparent from the patch file itself and what it replaces in the OS?
 
iMerik said:
But not if the one patch alerts baddies to the same unpatched vulnerability on the other platform, creating a 0day for your other platform.
Click to expand...
The security folks alert the baddies, so they release them as they are ready and have been tested enough to know the fix doesn't create a bigger hole.
 
And yet, no one did.

Security researchers always blow EVERYTHING out of proportion. Even very minor risks that will never be exploited at made into huge deals. Source: I am one in many ways.



Here is a fun one. There is a security hole in all Linux OS' that allow any app to run with admin privileges. It's been present for years and years and patching it would require a very large rewrite of how the entire OS works. We've been exploiting it for years yet security researchers haven't found it yet. :D
 
Tiger8 said:
It's like saying: Hey I have two houses, I realized both have windows that don't lock properly but I fixed one of them, hackers. I will fix the other one in a few weeks time. Play nice.
Click to expand...

Sure ok. Let's say that we have 50 million Mac users and 50 million iOS users. A patch is ready for iOS but not for Mac. You wait and send the patch out for both at the same time rather than sending out the iOS patch?
 
Apple probably has a very small OS security team because people like this lady will eventually leave the company and tell the world about all of Apple's security flaws and oversights.

Better to be small and pseudo-controlling than to be totally secure and transparent.

`Steve Jobs' legacy still shining strong. Hide everything, deny everything, sue everything.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back