A noted whitehat hacker who spent more than a year on Apple's security team has dealt her former employer some blistering criticism for fixing critical vulnerabilities in iOS three weeks after they became widely known to blackhats.
Kristin Paget, who recently took a security position at a major car manufacturer, took to her private blog Wednesday and catalogued more than a dozen separate security bugs that were patched in Tuesday's release of iOS 7.1.1. Some of them gave attackers the ability to surreptitiously execute malicious code on iPhones and iPads without requiring much or any interaction from end users. Paget noted that 16 of the vulnerabilities addressed had been fixed three weeks earlier in a separate update for OS X users. Such delays give malicious hackers the opportunity to reverse engineer the fixes for one platform and develop potent exploits to use against the same bugs surviving in unpatched platforms, security researchers have long charged.
"Apparently someone needs to sit Apple in front of a chalkboard and make them write out 100 lines: 'I will not use iOS to drop 0day on OS X, nor use OS X to drop 0day on iOS,'" Paget wrote in Wednesday's blog post. Addressing Apple officials directly, Paget continued:
Is this how you do business? Drop a patch for one product that quite literally lists out, in order, the security vulnerabilities in your platform, and then fail to patch those weaknesses on your other range of products for *weeks* afterwards? You really don’t see anything wrong with this?
Someone tell me I’m not crazy here. Apple preaches the virtues of having the same kernel (and a bunch of other operating system goop) shared between two platforms—but then only patches those platforms one at a time, leaving the entire userbase of the other platform exposed to known security vulnerabilities for weeks at a time?
In what world is this acceptable?
Paget's critique comes two months after Apple patched the extremely critical "goto fail" bug in iOS without fixing it in the Mavericks version of OS X. Critics once again warned that the code and description Apple released for the mobile update gave a roadmap attackers could use to target the same flaws during the four-day window it remained unpatched on desktops. The bug, which made it trivial to bypass crucial HTTPS encryption protections, was finally fixed on Mavericks on February 25.
Paget—who has also been employed by Google and eBay—called on readers to cross-check previous iOS and OS X security updates to see if they also showed long lapses between the time when critical vulnerabilities are fixed on one platform and when they're repaired on the other.
Listing image by Aurich Lawson
reader comments
99