Four days after Apple patched a five-alarm, all-hands-on-deck vulnerability in iOS, they have issued the patch for the same vulnerability in OS X 10.9 (Mavericks). The update, bringing OS X to version 10.9.2, included numerous other updates to the OS, including a large batch of separate security fixes, many serious.
I have been waiting, these last several days, for the Mac update to come out, because we knew from early on that OS X 10.9 was vulnerable. Earlier generations of OS X were not vulnerable. The update didn't come. This made no sense to me, since the fix was obviously really easy: delete one mistaken line of code and recompile. Obviously it needed to be tested some, but so did the iOS version. It takes four more days to test the OS X version?
Let's assume that yesterday's updates were pushed out as soon as possible: The fact that Apple released many other security updates might be a good reason to delay. Perhaps it would be somehow confusing and inconvenient for users if a highly-severe security update comes out and then, four days later, many more come.
It's not usual for Apple to issue lone security updates, but it does happen: Over the last few years there have been these:
- The case of the fake Comodo certificates
- The case of the fake Diginotar certificates
- The Flashback Remover
- Disabling old Flash versions
- Software Update man-in-the-middle attack
What makes this situation special, and I would argue merited Apple releasing the OS X SSL update as early as possible, was that they had already let the cat out of the bag: The iOS version was out and with enough information that experts quickly determined what it was all about and that OS X was also affected. Consequently, for that four day period, Mac users were conspicuously open to attack.
If it made sense to delay anything, it would have been better to delay the iOS update for the four days until they could release it all. The argument against this is that they would be leaving iOS users vulnerable, but that would only be a problem if the vulnerability were known or even being exploited in the wild; that would be a good reason to move fast. Apple hasn't said that this was the case, and I doubt they would hold it back if they knew.
So it's not exactly news, but Apple doesn't really have their act together where this vulnerability disclosure and fixing stuff comes in, even though they have improved a great deal over time.