Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Apple Leaves Users Vulnerable By Not Fixing iOS and OS X Security Issues Simultaneously

At least the devices receive updates! Lots of Android users find their devices abandoned within months, never to see an update.
 
Xenomorph said:
At least the devices receive updates! Lots of Android users find their devices abandoned within months, never to see an update.
Click to expand...

Thank you! You quoted what I've been saying! That's exactly true! Google hardly ever patches android.
 
I don't think both os have the same bugs in this case. After all they use different main-lines of the kernel. In this case iOS7 uses a much newer kernel that Mavericks.
 
Last edited:
It's easy to criticise (see I'm doing it here), this **** just wasn't some self promotion **** her. She can have an opinion I give a crap about when she has a hundred billion in her bank.
 
Dranix said:
I don't think both os have the same bugs in this case. After alls the use different main-lines of the kernel. In this case iOS7 uses a much newer kernel that Mavericks.
Click to expand...

EXACTLY! I also said that too. Thank you man.
 
Here is some context to this issue of not fixing security issues simultaneously.

From Peter Bright (Dr. Pizza), Ars Technica;
Windows and Android have substantially the same issue. Windows Phone and Windows will tend to share bugs in shared components (networking stack, kernel, browser, parts of the media stack). Android and Linux will tend to share bugs in shared components (networking stack, kernel). In both cases, there will tend to be a substantial window between the release of the Windows/Linux fix, and the release of the corresponding Windows Phone/Android fix, and in both cases those smartphone fixes are less readily available than Apple's equivalent iOS fixes (Windows Phone updates tend to roll out over the period of about a month; Android core fixes in general don't roll out at all).

While some facets of these competing platforms are less at risk--Chrome on Android, for example, is just a regular app, and so can be updated at a whim (assuming users update it, at any rate), unlike Safari on iOS (or Internet Explorer on Windows Phone), which needs a full OS patch to update--the overall story is the same or worse.

So while it's fair to say that Apple shouldn't drop 0-days on its mobile users each time it updates its desktop OS (or vice versa), substantially the same criticism can also be levelled at the #1 and #3 smartphone vendors too.
Click to expand...

Here is another attempt to put this in context from Apple Insider;

Apple was condemned in a series of posts laced with profanity for patching iOS first (before GoToFail was publicly known about) and not releasing a patch for OS X until three days later.

In contrast, it took a week for the various parties involved in Heartbleed to even coordinate its disclosure, with embargo leaks informing some clients, including OpenSSL, Akamai and Facebook as much as several days before the general public and even major companies including Cisco, Dropbox, Juniper, Twitter, Ubuntu and Yahoo.

Another security flaw, similarly affecting network security, was identified in Android's WebView 16 months ago. While much more serious in that it provided full control of a device to remote malicious users and had functional tools available that allowed virtually anyone to exploit the flaw, roughly 75 percent of Android devices appear to remain vulnerable.
Click to expand...
http://appleinsider.com/articles/14/04/18/how-apple-dodged-the-heartbleed-bullet

More about the WebView security flaw;

There’s a vulnerability that affects WebView control in AndroidTM applications installed on Android devices running versions older than 4.2.

This vulnerability makes a large number of Android applications act as a hacker pipeline into user’s devices and provides a way to install malicious software, send SMSs and more.
Click to expand...
http://blogs.avg.com/mobile/analyzing-android-webview-exploit/

And some more about the WebView security flaw;

An exploit for a vulnerability that affects an estimated 70% of all Android devices has been added to the Metasploit open-source penetration testing framework.

The "single-click" Metasploit exploit targets a vulnerability in a WebView component that's used by the native Android browser, although the component can also be used by other apps. Although the vulnerability has been present in some devices for nearly two years, it wasn't publicly disclosed until 14 months ago.
Click to expand...
http://www.darkreading.com/mobile-s...it-affects-most-android-phones/d/d-id/1113903
 
bb-15 said:
Here is some context to this issue of not fixing security issues simultaneously.

From Peter Bright (Dr. Pizza), Ars Technica;


Here is another attempt to put this in context from Apple Insider;


http://appleinsider.com/articles/14/04/18/how-apple-dodged-the-heartbleed-bullet

More about the WebView security flaw;


http://blogs.avg.com/mobile/analyzing-android-webview-exploit/

And some more about the WebView security flaw;


http://www.darkreading.com/mobile-s...it-affects-most-android-phones/d/d-id/1113903
Click to expand...

Exactly. Thank you for the nice post!
 
iNosey said:
Thank you! You quoted what I've been saying! That's exactly true! Google hardly ever patches android.
Click to expand...

Wrong on that count. Google does update Android. It's the carriers and the manufacturers who don't update the devices, but if you buy a Nexus device(directly from Google or certain carriers), you will actually get updates since it is stock Android straight from Google.
 
east85 said:
If this is a problem they can simply hire more talented software developers. You know, it's not like they don't have oodles of money.
Click to expand...

But...then how would they pay millions for that burbey-something chick and Jony "the God himself" Ive? They single-handedly develop OS X, iOS and Macs (they do iToys during their lunch break). Engineers are losers and not needed in companies. Senior Vice Presidents are the ones that do everything. Even if they don't know what a computer os software is.
 
joshuarayer said:
Wrong on that count. Google does update Android. It's the carriers and the manufacturers who don't update the devices, but if you buy a Nexus device(directly from Google or certain carriers), you will actually get updates since it is stock Android straight from Google.
Click to expand...

Funny how they think they know, but they have NO idea.
 
Gasu E. said:
Actually, with all due respect it's you who are missing the point. The point is that Apple SHOULD indeed hold off one releasing a set of security patches for one platform until the fixes for the other platform are ready. They need to be released simultaneously, even if that means holding one up. The exception would be if the security hole is already well known and publicized by a third party. But in most cases, the holes are not known until Apple issues the fixes.
Click to expand...

:confused: You just conflicted the statement I was objecting to:

I would rather them push out updates as soon as they are ready. Not wait for the other OS to catchup
Click to expand...

What I was saying is that it's not a matter of waiting for the other to be ready, how about fixing both at the same time? Apple is a massive company now, and they should act like one. Sometimes I feel they don't deviate too much from the 'one thing at a time' mentality, even in their security fixes.
 
Wow! Certainly makes Android look a damn site more secure, at least Google doesn't publicly announce all the security holes in it's OS, it just patches them as it's supposed to.

Apple though to be honest has just been on one continuous slide downwards in regards to OS quality and security.
 
sualpine said:
No, that's facing reality vs having unrealistic expectations.
Click to expand...

unrealistic is when a company continues to fail to fix bugs that has been ongoing.
Realistic is when a company takes time to fix most of bugs/glitches per update.
 
apolloa said:
Wow! Certainly makes Android look a damn site more secure, at least Google doesn't publicly announce all the security holes in it's OS, it just patches them as it's supposed to.

Apple though to be honest has just been on one continuous slide downwards in regards to OS quality and security.
Click to expand...

No, it doesn't. Just read this: http://www.darkreading.com/mobile-s...it-affects-most-android-phones/d/d-id/1113903

This is a bug in Android's WebView that has been vulnerable for two full years, it was publicly disclosed 16 months ago.

In this case for iOS, they fixed it (which they disclosed) on OS X on April 1st, and fixed it in iOS 7.1.1 update on April 22nd.

The fact is, there is no bug-free platform in this universe. I wouldn't trust anybody who say they have a bug-free app or platform. There is also no such thing as a perfect security system. Anything secured by a man can be broken by another man, simple as that.

Given the recent string of security bugs, I'd suspect everybody's going to start to step up now and get those bugs fixed quicker, along with re-visiting their security workflow on their platforms.
 
It's really a lose-lose. Leave OSX vulnerable for another week while they get a fix for iOS ready, or drop the OSX update as soon as it is ready and expose iOS to more vulnerability than there already was.

What's the best course of action here? Hiring more developers probably isn't the correct option, because Apple doesn't want to hire more people than they can support all the time. You don't want people sitting around without work.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back