Apple: What took so long?

Apple: What took so long?

Summary: Why did it take four days longer for Apple to patch the SSL/TLS bug on OS X than on iOS? Even in this difficult situation Apple could have handled things better.

TOPICS: Security, Apple, iOS

Four days after Apple patched a five-alarm, all-hands-on-deck vulnerability in iOS, they have issued the patch for the same vulnerability in OS X 10.9 (Mavericks). The update, bringing OS X to version 10.9.2, included numerous other updates to the OS, including a large batch of separate security fixes, many serious.

I have been waiting, these last several days, for the Mac update to come out, because we knew from early on that OS X 10.9 was vulnerable. Earlier generations of OS X were not vulnerable. The update didn't come. This made no sense to me, since the fix was obviously really easy: delete one mistaken line of code and recompile. Obviously it needed to be tested some, but so did the iOS version. It takes four more days to test the OS X version?

Let's assume that yesterday's updates were pushed out as soon as possible: The fact that Apple released many other security updates might be a good reason to delay. Perhaps it would be somehow confusing and inconvenient for users if a highly-severe security update comes out and then, four days later, many more come.

It's not usual for Apple to issue lone security updates, but it does happen: Over the last few years there have been these:

What makes this situation special, and I would argue merited Apple releasing the OS X SSL update as early as possible, was that they had already let the cat out of the bag: The iOS version was out and with enough information that experts quickly determined what it was all about and that OS X was also affected. Consequently, for that four day period, Mac users were conspicuously open to attack.

If it made sense to delay anything, it would have been better to delay the iOS update for the four days until they could release it all. The argument against this is that they would be leaving iOS users vulnerable, but that would only be a problem if the vulnerability were known or even being exploited in the wild; that would be a good reason to move fast. Apple hasn't said that this was the case, and I doubt they would hold it back if they knew.

So it's not exactly news, but Apple doesn't really have their act together where this vulnerability disclosure and fixing stuff comes in, even though they have improved a great deal over time.

Topics: Security, Apple, iOS

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Improved over time?

    Can you elaborate? I have seen no improvement from them. No one knows what Apple's security policy is (as in what is supported and for how long, when they'll release patches, how they'll communicate information to everyone, etc). All we know is that Apple may, some day, fix a security vulnerability. That's it. That's the way it has been. So I'm not sure why you're saying they've improved.
    • how they're better

      Believe it or not, they're much more timely than they used to be. Their disclosures are more informative than many other companies', and they have implemented many defensive technologies. I would also say that their fascist police state management of iOS development and the app store has been an effective technique to keep the iOS ecosystem secure, although there are obvious drawbacks too.
      • More timely?

        How so? You've even stated there are a number of known vulnerabilities in Mountain Lion which have remained unpatched despite being patched in Mavericks. Disclosures? I'm not seeing much of an improvement there either.
        • Yeah, in the long term

          I've been following their vulnerability disclosures for a really long time. They're much faster than they used to be. And while there are plenty of self-serving reasons for them to lock down the iOS app ecosystem, security must have also been a reason and it's been a big success in that regard. I'm sure they would like to move Macs in that direction too, but that will be hard.
          • I guess we'll have to agree to disagree.

            I've been following their disclosures for a long time too and I don't see them as having improved all that much. Nor do I feel they're releasing security patches at a faster rate than they previously did.

            Regardless there's a lot of room for improvement. First and foremost creating a policy of what is and for how long a version of their OS will be supported.

            As for the iOS I'm not as concerned about that. I believe the lockd down ecosystem has been beneficial to security. And I'm sure they, and Microsoft, would love to have everything vetted through a store and locked down like iOS.
          • There is no way to disagree that Apple became much faster and explains ...

            ... a lot more than before.

            Lawrence is totally right about this, you can not argue with the fact.

            What did not improve, however, is that there is still no public security policy, where the company would declare the way they operate in different security-related situations. Users fundamentally never know when patches will come unless Apple will be merciful enough and tip users and media on that.

            It is not mandatory by any public policy, and this can be serious issue for businesses.
        • There was a time...

          when they would receive security alerts or updates from partners and they sat on them for 6 months or more, before outside pressure became too much and sticking their head in the sand stopped working.

          Now they are releasing them within a week, but it was still badly coordinated.
  • One possible explanation

    Is that Apple became aware of targeted and/or extensive attacks specifically directed at iOS devices. In that case it would make sense to push out the patch before they originally planned; just to stop what could be very public and embarrassing mass exploitation or exploitation of high-profile targets.

    That is the only case that I can come up with which could warrant the extra high-risk days for OS X customers.
  • It seems to be the wrong question...

    Why did it take four days longer? Well fairly obviously it just did? None of us work their, but an educated guess tells me that they wouldn't just sit there having pot shots taken at them by every hack and fanboy when they just had to delete a line of code.

    Instead the real question is was it the right thing to issue the ios update, this exposing to the public mac os's security flaw (given that as yet this looks like an unbreached exploit) or should they have updated both four days later and not left one exposed woth the risk publicised?

    More inportabtly for apple; how long is a software company liable for faulty coding? Clearly they updated back to lion. In future shouldn't we expect them to patch older systems if they, essentially, made it badly?
    • Did you read the article?

      This is essentially the question the author asks. "If it made sense to delay anything, it would have been better to delay the iOS update for the four days until they could release it all. "
  • Heading from internal Apple memo ...

    "Plot Wanted"
  • Hype

    The media not going into full hysteria mode would help. There are no reports or evidence of anybody being compromised because of this bug, not ONE person. Yet the media reports gave the impression you were in imminent danger using your iOS or OSX device. Heck as of last night Ars Technica still had an article on their front page wondering when the OSX fix was coming and NO mention that an update had already been released. That's just shoddy journalism. This whole episode was about creating hysteria to generate page clicks.
    • You are right

      There is not one person reporting being compromised, but the very nature of the bug, allowed "the man in the middle" to go undetected. Personally the fix was given to IOS first as there are way more devices out there with IOS than Mac OS X.
    • sorry but you're wrong about everything you said

      This bug is about insecure connection and man-in-the-middle attack. Someone could already stole your bank account information and you would never know about it.

      If you're so sure about this, don't update this patch. Just keep telling yourself you're safer with a Mac but please don't make such a silly comment because the world clearly is better without it.
  • Thoughts

    "Obviously it needed to be tested some, but so did the iOS version. It takes four more days to test the OS X version?"

    That's a good question. Why does it take four days to test a single line of code? Was one of their test machines crashing with the change?

    "If it made sense to delay anything . . ."

    Frankly, it doesn't make sense to delay anything - it's a security patch, it should be pushed ASAP.

    "The argument against this is that they would be leaving iOS users vulnerable, but that would only be a problem if the vulnerability were known or even being exploited in the wild"

    You can never really assume that it's NOT being exploited in the wild, especially then the exact problem can be traced easily a single line of code in a file. It's simply not a safe assumption. Malware these days hides itself and is invisible to more users.
    • most users

      oops - most users - need edit button.
    • the reality was it wasnt a single line of code

      There were multiple go to fail lines to remove... or restructure. However, there is even more to it than that... Still, it shouldn't have taken any longer than to do the iOS update.

      There is an assumption that no one was exposed... frankly I find this preposterous... you think every exploit is discovered... look at Target and Neiman Marcus who were exploited for months undetected and PCI data is supposed to be guarded like the crown jewels.
      • that's not true

        There were tons of "goto fail;" lines in the file, but only one of them was responsible for the error.
        • Could it be done without side effects, though?

          Could it be done without side effects, though? I've seen some pretty odd stuff in my career, including things that seem "wrong," but were done on purpose because of some archaic bug or compatibility problem. Which is why I'm wondering if maybe some of their test machines crashed or something.
          • error conditions

            I've thought about this some. The only difference after fixing the bug is that certain error conditions would be caught which otherwise would not be caught. Yes, this would then exercise code which had, heretofore, never been executed, but it's pretty simple code.
            Actually, another interesting case for them would be to compare the same error conditions between Mountain Lion and Mavericks; the error wasn't in Mountain Lion, which leads me to believe that Apple changed the SSL code in Mavericks to a common base with iOS's code. That's just a guess, but I think it makes sense.