Apple's Beats brand in April unveiled the Powerbeats Pro, a redesigned wire-free version of its popular fitness-oriented Powerbeats earbuds.
Apple Leaves Users Vulnerable By Not Fixing iOS and OS X Security Issues Simultaneously
Notable computer security researcher Kristin Paget, who worked on Apple's security team before leaving for Tesla in early 2014, has taken to her blog (via Ars Technica) to criticize Apple for fixing more than a dozen security flaws in iOS weeks after patching them in OS X.
iOS 7.1.1, released yesterday, patched multiple WebKit vulnerabilities that were initially fixed in OS X with the release of Safari 7.0.3 on April 1. The delay between fixes, says Paget, alerted hackers to serious flaws potentially exploitable on Apple's mobile operating system and then gave hackers ample time to exploit the vulnerabilities.
In addition to the WebKit vulnerabilities that were patched out of sync, Apple also recently exposed a major OS X flaw when patching the same flaw in iOS. Back in February, with the release of iOS 7.0.6, a major SSL connection verification vulnerability came to light. Known as the "goto fail" bug, it left iOS and OS X users vulnerable to man-in-the-middle attacks where hackers could pose as a trusted website to intercept communications or acquire sensitive information.
Apple launched iOS 7.0.6 on a Friday, fixing the vulnerability on iOS but leaving OS X users vulnerable to attack until the following Tuesday, when it released OS X 10.9.2 to patch the security flaw.
iOS 7.1.1, released yesterday, patched multiple WebKit vulnerabilities that were initially fixed in OS X with the release of Safari 7.0.3 on April 1. The delay between fixes, says Paget, alerted hackers to serious flaws potentially exploitable on Apple's mobile operating system and then gave hackers ample time to exploit the vulnerabilities.
Is this how you do business? Drop a patch for one product that quite literally lists out, in order, the security vulnerabilities in your platform, and then fail to patch those weaknesses on your other range of products for weeks afterwards? You really don't see anything wrong with this?Addressing Apple, Paget goes on to write that Apple needs to sit in front of a chalkboard and write out "I will not use iOS to drop 0day on OSX, nor use OSX to drop 0day on iOS."
Someone tell me I'm not crazy here. Apple preaches the virtues of having the same kernel (and a bunch of other operating system goop) shared between two platforms – but then only patches those platforms one at a time, leaving the entire userbase of the other platform exposed to known security vulnerabilities for weeks at a time?
In addition to the WebKit vulnerabilities that were patched out of sync, Apple also recently exposed a major OS X flaw when patching the same flaw in iOS. Back in February, with the release of iOS 7.0.6, a major SSL connection verification vulnerability came to light. Known as the "goto fail" bug, it left iOS and OS X users vulnerable to man-in-the-middle attacks where hackers could pose as a trusted website to intercept communications or acquire sensitive information.
Apple launched iOS 7.0.6 on a Friday, fixing the vulnerability on iOS but leaving OS X users vulnerable to attack until the following Tuesday, when it released OS X 10.9.2 to patch the security flaw.
[ 141 comments ]
Top Rated Comments
(View all)
68 months ago
I would rather them push out updates as soon as they are ready. Not wait for the other OS to catchup.
You have a critical security bug on your iPhone.
Option 1: Apple tells the world about the security bug, and how to exploit it, but doesn't fix it for 1-3 weeks.
Option 2: Apple tells the world about the security bug at the moment they fix it.
Which would you prefer? Right now Apple's doing option #1.
arn
68 months ago
No company is perfect, and honestly, they're all pretty much the same.
I don't think you read the article.
Did iOS 7.1.1 and the recent Lion/ML/Mavericks Security Updates fix the same security issues? They both dropped yesterday, so maybe they've learnt their lesson.
I don't think you read the article.
arn
68 months ago
I would rather them push out updates as soon as they are ready. Not wait for the other OS to catch up.
But not if the one patch alerts baddies to the same unpatched vulnerability on the other platform, creating a 0day for your other platform.
68 months ago
Apple should also start building cars that explode on impact. Oh wait...
What a terrible attempt at trolling.
68 months ago
I'm still of the belief that Apple simply doesn't have enough software people to do all the things they need to do. Hence why it takes them so long to fix stuff. Well, at least not in a way that will affect their margins.
68 months ago
I would rather them push out updates as soon as they are ready. Not wait for the other OS to catchup.
68 months ago
Do you really, REALLY think that only apple knows about it? How many hackers do that for a living?
It doesn't negate the two options. There's still a difference between some hackers knowing about it and Apple publicizing it.
arn
68 months ago
Arn, I think the second paragraph needs to be included in the quote.
The following is definitely a quote:
The following is definitely a quote:
Someone tell me I'm not crazy here. Apple preaches the virtues of having the same kernel (and a bunch of other operating system goop) shared between two platforms - but then only patches those platforms one at a time, leaving the entire user base of the other platform exposed to known security vulnerabilities for weeks at a time?
[ Read All Comments ]
After a busy few weeks of news and rumors, things slowed down a little bit this week, but there were still some major stories worth highlighting. Those include our first hands-on look at dummy models...
For this week's giveaway, we've teamed up with Reolink to offer MacRumors readers a chance to win an Argus 2 wire-free rechargeable home camera and a solar panel for charging it up outdoors.
...
Apple Music has renamed its "The A-List: Hip-Hop" playlist to "Rap Life."
Ebro Darden, global editorial head of hip-hop and R&B at Apple Music, will host a companion...
Samsung is believed to be Apple's exclusive supplier of OLED displays for iPhones, but it may have company soon.
In a research note shared with MacRumors, Barclays analysts said fellow...
1Password has restored the option for customers who originally purchased its iOS app to create a local vault during setup, after users queued up online to voice their frustrations with the fact that...
Apple is planning to open an office in highly desired location in Vancouver, Canada reports Bloomberg. The company has leased space in a 24-story office building at 400 West Georgia owned by...
Elevation Lab, known for its line of popular iPhone charging docks, today released the FamilyCharger, a multi-charging setup designed to allow you to charge all of your devices in one place.
The...
Apple today seeded the third beta of an upcoming macOS Catalina update to its public beta testing group, two weeks after seeding the second public beta and a day after seeding the fourth developer...
