Apple took more than three years to fix a hole in its iTunes updater that allowed the software to be used as a distribution vector for spyware.
A recent Wall Street Journal report detailed off-the-shelf surveillance software used by regimes such the one that fell in Egypt earlier this year. One of these packages was FinFisher, sold by a UK firm called Gamma. The spyware could be disseminated through a phony update for iTunes, exploiting a flaw in the media player's updating mechanism.
Cybercrime journalist Brian Krebs wrote on Wednesday that the same flaw had been reported to Apple by Argentinian security researcher Francisco Amato in July 2008. Amato had developed a penetration tool called Evilgrade to exploit the vulnerability.
According to email exchanges between Amato and Krebs, Apple acknowledged receipt of the researcher's report but did not contact him about the findings until October 2011,when it "sent an email to confirm his name and title for the purposes of crediting him with reporting the flaw in its iTunes 10.5.1 patch release details".
Krebs noted that Apple had not even responded when Amato shipped a major update to Evilgrade in October 2010. He added that, while Apple had taken more than three years to fix the flaw Amato described, the company's normal average response time to such reports was around three months.
It appears that the flaw only affected the Windows version of iTunes. Krebs said Amato had tried to replicate it on OS X systems, but had failed.
ZDNet UK has asked Apple for comment on the length of time it took the company to close the hole, but had received no answer at the time of writing.