Apple Leaves Users Vulnerable By Not Fixing iOS and OS X Security Issues Simultaneously

[matrix07]

And btw Macrumors has had it's fair deal of security issues with recent hacks and stolen passwords so don't act like you know it all.

Ka-Ching!!!!

 

[mrxak]

But not if the one patch alerts baddies to the same unpatched vulnerability on the other platform, creating a 0day for your other platform.

Security through obscurity is no security at all. If a there's a vulnerability, you have to assume everyone already knows about it, and the bad guys aren't talking about it first because they're busy exploiting it as much as possible.

 

[OldSchoolMacGuy]

Can you prove that?

Believe those claiming that this is a huge deal have the burden of proof here. If it's such a major issue like she claims, show us all of the people affected.

This is like freaking out because someone left the back door unlocked but no one broke in and nothing is missing. Actually it's not even that as it's require a lot more than simply walking in. She's just trying to get her name in the press and build a name for herself.

 

[vmachiel]

Alright, considering that they have so much cash, they have many users to support and there are so many little things to fix: files being stuck in an App in iCloud, many little music bugs on iOS, security etc etc.

Maybe hire some more people?

 

[Tumbleweed666]

Reported as spam.

But copied all the spam details so its still there in your post !!!!

 

[dazzvazz]

The approach to patching security holes have been utterly stupid as of late. More people need to criticise Apple for this; otherwise, they won't learn in a timely fashion.

 

[allanfries]

From what I've heard no one was even affected. Proof baby, proof!

 

[Tech198]

its because Apple sacked all the good ones... That's who to blame...


Personally, its all down hill from here......


I wish i could say something good about Apple, but seriously, before Fortall left and the rest ... was much better than now...

At least fixes came out "on time" SSL bug in iOS... no excuse to leave it this long.......

if Apple doesn't take this as a priority, i'd like to see what they do classify one as

Its a security issue, not an app you can take your time over. Apple needs to really step up their security, and prove it.. As least to me..

 

[iMerik]

Security through obscurity is no security at all. If a there's a vulnerability, you have to assume everyone already knows about it, and the bad guys aren't talking about it first because they're busy exploiting it as much as possible.

Then patch both immediately instead of patching one and leaving the other one hung out to dry now that you've sounded the alarm. It's a matter of them being in sync and quick to fix, not what you are implying I meant.

 

[Dranix]

As both are very probably not identical one is fixed earlier then the other. Do you really think it's better to let the doors on both systems be open instead of fixing each system as fast as possible?

 

[C DM]

Believe those claiming that this is a huge deal have the burden of proof here. If it's such a major issue like she claims, show us all of the people affected.

This is like freaking out because someone left the back door unlocked but no one broke in and nothing is missing. Actually it's not even that as it's require a lot more than simply walking in. She's just trying to get her name in the press and build a name for herself.

Just because the backdoor lock never worked properly and it was never closed and yet no one broke in doesn't mean it's not a security/safety concern that people should be aware of, right?

----------

Then patch both immediately instead of patching one and leaving the other one hung out to dry now that you've sounded the alarm. It's a matter of them being in sync and quick to fix, not what you are implying I meant.

And if a fix for one takes less time than the other one (as can often happen for all kinds of real and valid reasons), should the fix that is available for one not be released until later? That makes less security sense.

 

[RMo]

Safari and Webkit should be updatable without updating the rest of the system.

This is probably why iOS updates often take longer. Right now, Apple's only option is to release an x.y.z update, whereas OS X can do either that or just issue a patch for, say, Safari.

As for the issue at hand, I'm curious whether there is research to support a claim that either one of these possibilities (keeping secret until both are fixed at same time, even though one fix may be ready before the other; or releasing both fixes as soon as possible in no particular order and not necessarily simultaneously) is worse than the other. Obviously, this researcher believes this to be the case.

 

[rlhamil]

server capacity issue?

How bad is performance retrieving updates now, the first day after they're released? Until their servers and bandwidth are built out further, expect it to be worse if both are released at the same time - keeping the peak load from being crazy might have been a consideration.

The point about the first publicizing a still-open vulnerability in the second is of course valid; but simultaneous updates should _only_ be necessary when an essentially identical vulnerability exists on both platforms. Any other updates IMO should not be simultaneous, for the reason I just mentioned.

Part of the problem (IMO) is also that iOS updates seem to be full reloads (comparable to OS X major version bump). If they were more like OS X minor updates, they'd be smaller and probably faster.

 

[ct2k7]

Did you miss resigned from Apple part?

Did you miss that you usually resign to accept another job...?

 

[ghost of jobs]

..

 

[RMo]

How bad is performance retrieving updates now, the first day after they're released? Until their servers and bandwidth are built out further, expect it to be worse if both are released at the same time - keeping the peak load from being crazy might have been a consideration.

I'm pretty sure Apple uses Akamai or a similar CDN, as do most large companies (Microsoft did in the past; I'm sure they still do). Thus, this concern isn't really relevant in that Apple isn't really providing the bandwidth here and has wisely outsourced it to a company that specializes in content delivery for, in part, this exact reason.

 

[sixrom]

The fact is, there is no bug-free platform in this universe. I wouldn't trust anybody who say they have a bug-free app or platform. There is also no such thing as a perfect security system. Anything secured by a man can be broken by another man, simple as that.

Given the recent string of security bugs, I'd suspect everybody's going to start to step up now and get those bugs fixed quicker, along with re-visiting their security workflow on their platforms.

Very well said!

I would truly like to see Apple perform it's due diligence on a regular basis. They have a golden opportunity to _lead the way_ steadfast in their vigilance to seek and find any and all weaknesses or vulnerabilities in the security of their systems. IE: software / hardware ecosystem.

Then instead of being tasked with damage control, or rushing out a patch etc, they'd establish and maintain a strong unshakeable reputation as the leader in security amongst the various companies.

While once years ago Macs weren't a target, market dynamics have changed. Now at the top as a fine brand and high grossing powerhouse, it's the perfect time for Apple to dedicate some of their resources and stellar talent to become the undisputed leader of safe computing and mobile communications.