• Your favorite

    Apple

    ,

    iPhone

    ,

    iPad

    ,

    iOS

    ,
    Jailbreak
    , and
    Cydia
    site.
  • Apple Leaves iOS Users Vulnerable by Releasing OS X Patch at an Earlier Time


    Notable computer security researcher Kristin Paget, who worked on Apple’s security team before leaving for Tesla in early 2014 recently took to her blog to criticize Apple for fixing more than a dozen security flaws in iOS weeks after patching them in OS X. Apple’s recently released iOS 7.1.1 patched multiple WebKit vulnerabilities that were initially fixed in OS X with the release of Safari 7.0.3 on April 1. The delay between fixes alerted hackers to serious flaws potentially exploitable on Apple’s mobile operating system and then gave hackers ample time to exploit the vulnerabilities. Paget said the following on her blog regarding the matter:

    Is this how you do business? Drop a patch for one product that quite literally lists out, in order, the security vulnerabilities in your platform, and then fail to patch those weaknesses on your other range of products for weeksafterwards? You really don't see anything wrong with this?

    Someone tell me I'm not crazy here. Apple preaches the virtues of having the same kernel (and a bunch of other operating system goop) shared between two platforms – but then only patches those platforms one at a time, leaving the entire userbase of the other platform exposed to known security vulnerabilities for weeks at a time?
    Addressing Apple, Paget went on to write that Apple needs to sit in front of a chalkboard and write out the following:

    I will not use iOS to drop 0day on OSX, nor use OSX to drop 0day on iOS.
    In addition to the WebKit vulnerabilities that were patched out of sync, Apple also recently exposed a major OS X flaw when patching the same flaw in iOS. Back in February, with the release of iOS 7.0.6, a major SSL connection verification vulnerability came to light. Known as the “goto fail” bug, it left iOS and OS X users vulnerable to the man-in-the-middle attacks where hackers could pose as a trusted website to intercept communications or acquire sensitive information.

    For those of you who didn’t know, Apple launched iOS 7.0.6 on Friday, fixing the vulnerability on iOS but leaving OS X users vulnerable to the attack until the following Tuesday when it released OS X 10.9.2 to patch the security flaw.

    Source: Kristin Paget (blog)
    This article was originally published in forum thread: Apple Leaves iOS Users Vulnerable by Releasing OS X Patch at an Earlier Time started by Akshay Masand View original post
    Comments 2 Comments
    1. Zokunei's Avatar
      Zokunei -
      Judging by what happens every major software release, Apple probably doesn't have powerful enough servers to issue Mac and iOS updates at the same time. They really need to fix that.
    1. znbl's Avatar
      znbl -
      The real reason seems to be the very nature of iOS' design. While the OTA "delta"** style updates for iOS is a big step forward, it's still well behind OS X that allows individual apps to be updated individually, like Safari, iTunes, as well as general system security updates. This is something iOS should have had from the start (the ability to update each app/lib separately) which would allow such fixes to be pushed out just as fast as on OS X.

      Sticking with this locked down all-or-nothing approach has shown to be a hindrance time and time again for what should be a simple update for one program or central library rather than an entire OS update; full OS updates should be reserved only for when you truly need to restore the system.

      ** As I said, the "delta" approach is a step in the right direction, though it still boils down to a full update, but just cuts out the downloading of files that weren't changed between versions to ease server load and lessen download sizes and times. This is NOT the same as update individual programs on the system like OS X does.