Apple: What took so long?

Summary:Why did it take four days longer for Apple to patch the SSL/TLS bug on OS X than on iOS? Even in this difficult situation Apple could have handled things better.

Four days after Apple patched a five-alarm, all-hands-on-deck vulnerability in iOS,  they have issued the patch for the same vulnerability in OS X 10.9 (Mavericks) . The update, bringing OS X to version 10.9.2, included numerous other updates to the OS, including a large batch of separate security fixes, many serious .

I have been waiting, these last several days, for the Mac update to come out, because we knew from early on that OS X 10.9 was vulnerable. Earlier generations of OS X were not vulnerable. The update didn't come. This made no sense to me, since the fix was obviously really easy:  delete one mistaken line of code  and recompile. Obviously it needed to be tested some, but so did the iOS version. It takes four more days to test the OS X version?

Let's assume that yesterday's updates were pushed out as soon as possible: The fact that Apple released many other security updates might be a good reason to delay. Perhaps it would be somehow confusing and inconvenient for users if a highly-severe security update comes out and then, four days later, many more come.

It's not usual for Apple to issue lone security updates, but it does happen: Over the last few years there have been these:

What makes this situation special, and I would argue merited Apple releasing the OS X SSL update as early as possible, was that they had already let the cat out of the bag: The iOS version was out and with enough information that experts quickly determined what it was all about and that OS X was also affected. Consequently, for that four day period, Mac users were conspicuously open to attack.

If it made sense to delay anything, it would have been better to delay the iOS update for the four days until they could release it all. The argument against this is that they would be leaving iOS users vulnerable, but that would only be a problem if the vulnerability were known or even being exploited in the wild; that would be a good reason to move fast. Apple hasn't said that this was the case, and I doubt they would hold it back if they knew.

So it's not exactly news, but Apple doesn't really have their act together where this vulnerability disclosure and fixing stuff comes in, even though they have improved a great deal over time.

Topics: Security, Apple, iOS

About

Larry Seltzer has long been a recognized expert in technology, with a focus on mobile technology and security in recent years. He was most recently Editorial Director of BYTE, Dark Reading and Network Computing at UBM Tech. Prior to that he spent over a decade consulting and writing on technology subjects, primarily in the area of sec... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.