Apple Leaves Users Vulnerable By Not Fixing iOS and OS X Security Issues Simultaneously
Notable computer security researcher Kristin Paget, who worked on Apple's security team before leaving for Tesla in early 2014, has taken to her blog (via Ars Technica) to criticize Apple for fixing more than a dozen security flaws in iOS weeks after patching them in OS X.
iOS 7.1.1, released yesterday, patched multiple WebKit vulnerabilities that were initially fixed in OS X with the release of Safari 7.0.3 on April 1. The delay between fixes, says Paget, alerted hackers to serious flaws potentially exploitable on Apple's mobile operating system and then gave hackers ample time to exploit the vulnerabilities.
Is this how you do business? Drop a patch for one product that quite literally lists out, in order, the security vulnerabilities in your platform, and then fail to patch those weaknesses on your other range of products for weeks afterwards? You really don't see anything wrong with this?
Someone tell me I'm not crazy here. Apple preaches the virtues of having the same kernel (and a bunch of other operating system goop) shared between two platforms – but then only patches those platforms one at a time, leaving the entire userbase of the other platform exposed to known security vulnerabilities for weeks at a time?
Addressing Apple, Paget goes on to write that Apple needs to sit in front of a chalkboard and write out "I will not use iOS to drop 0day on OSX, nor use OSX to drop 0day on iOS."
In addition to the WebKit vulnerabilities that were patched out of sync, Apple also recently exposed a major OS X flaw when patching the same flaw in iOS. Back in February, with the release of iOS 7.0.6, a major SSL connection verification vulnerability came to light. Known as the "goto fail" bug, it left iOS and OS X users vulnerable to man-in-the-middle attacks where hackers could pose as a trusted website to intercept communications or acquire sensitive information.
Apple launched iOS 7.0.6 on a Friday, fixing the vulnerability on iOS but leaving OS X users vulnerable to attack until the following Tuesday, when it released OS X 10.9.2 to patch the security flaw.
Popular Stories
Apple changed the strategy for iOS 17 later in its development process to add several new features, suggesting that the update may be more significant than previously thought, Bloomberg's Mark Gurman reports.
In January, Gurman said that iOS 17 could be a less significant update than iPhone updates in previous years due to the company's intense focus on its long-awaited mixed-reality...
Following nearly six weeks of beta testing, iOS 16.4 is expected to be released to the public as soon as this week. The software update includes a handful of new features and changes for the iPhone 8 and newer. To install an iOS update, open the Settings app on the iPhone, tap General → Software Update, and follow the on-screen instructions.
Below, we have recapped eight new features and...
Some Apple employees are concerned about the usefulness and price point of the company's upcoming mixed-reality headset, The New York Times reports.
Apple headset concept by David Lewis and Marcus Kane Initial enthusiasm around the device at the company has apparently become skepticism, according to eight current and former Apple employees speaking to The New York Times. The change of tone...
Apple today released iOS 16.4, the fourth major update to the iOS 16 operating system that initially came out last September. iOS 16.4 comes two months after the launch of iOS 16.3, an update that added Security Keys for Apple ID.
iOS 16.4 and iPadOS 16.4 can be downloaded on eligible iPhones and iPads over-the-air by going to Settings > General > Software Update. It can take a few minutes...
Apple showcased its mixed-reality headset to the company's top 100 executives in the Steve Jobs Theater last week, according to Bloomberg's Mark Gurman.
In the latest edition of his "Power On" newsletter, Gurman explained that the "momentous gathering" is a "key milestone" ahead of the headset's public announcement planned for June. The event was intended to rally Apple's top members of...
We're still almost six months away from the official unveiling of the iPhone 15 lineup, but it seems like every day we're learning more about what to expect from the next-generation models. Notably, this week gave us our clearest look yet at what appear to be some changes for the volume and mute control hardware.
iOS 16.4 and associated releases are also right around the corner with some new ...
Apple today released tvOS 16.4, the fourth major point update to the tvOS 16 operating system that came out last September. Available for the Apple TV 4K and Apple TV HD, tvOS 16.4 comes two months following the release of tvOS 16.3.
The tvOS 16.4 update can be downloaded over the air through the Settings app on the Apple TV by going to System > Software Update....
Top Rated Comments
You have a critical security bug on your iPhone.
Option 1: Apple tells the world about the security bug, and how to exploit it, but doesn't fix it for 1-3 weeks.
Option 2: Apple tells the world about the security bug at the moment they fix it.
Which would you prefer? Right now Apple's doing option #1.
arn
I don't think you read the article.
arn
What a terrible attempt at trolling.