Gosh, it seems like just yesterday the Macalope was questioning Apple’s commitment to security. Oh, wait, it was!

Well, this is a nice sign. Well done, Apple.

And, hey how about those comments by the Inquirer’s Nick Farrell the Macalope linked to:

Another problem is that Apple has learned nothing from Microsoft in dealing with exploits. Microsoft has changed its attitude to start fixing exploits quickly. However Apple still goes through a phase of denying that problems exist before it looks at them.

For example, the aforementioned bug in the Iphone [sic] operating system has been known to Apple for weeks but so far it has done nothing about it.

It has however released security patches to thwart jailbreaking software and prevent Palm from using Itunes [sic], which indicates Apple’s priorities.

Crow is a fairly dry meat, Nick, so you’ll probably want a sweeter wine to accompany it. The Macalope recommends a Riesling or maybe a Gewurztraminer.

  • There’s no crow to be eaten. Apple still waited for the very day when the exploit was demonstrated to release the patch; don’t tell me it just so happens that it took them exactly that many days, since they were notified of the vulnerability, to develop the patch.

    They just decided that the deadline for fixing it was the day when it would be demonstrated. That’s not how you handle security. You’re supposed to be in a hurry to fix vulnerabilities as soon as you learn about them — especially when they’re that serious. Just because that one security researcher waited to divulge the details doesn’t mean that some other hackers didn’t, or couldn’t, discover the flaw by themselves.

  • The Macalope:

    Of course they didn’t fix it overnight. The parts that are ridiculous are this:

    However Apple still goes through a phase of denying that problems exist before it looks at them.

    Where’s this supposed denial?

    And this:

    …so far it has done nothing about it.

    Actually, no, they’ve been working on a fix. And Microsoft fixes every flaw before it’s revealed? “Weeks” (wherever he got that) certainly seems like a reasonable amount of time to code a fix and then test it.

    It’s not that Apple’s been good in this regard in the past. They sat on the last bug for months. That was unacceptable and the Macalope said so at the time. But this time they got on it fast, even if it took a few weeks.

  • admin:

    The same bug affected Android phones, too. Had Google fixed it yet? (Really asking. Didn’t see any results on, er, Google.)

  • dukrous:

    The problem is never with the speed of the fix, but the silence. A fix will take a long as it takes. If it takes weeks, then weeks…months, well then someone’s letting the gerbil run a little slower than he should to keep the power going. But while all of this was coming out, where was Apple’s PR saying a fix was on the way? All we heard was “Hey, we’ll have it fixed Satur…hold on, it’s ready now!”

    Comparing Apple security to Microsoft is just plain dumb. Microsoft has their Patch Tuesdays every month with special out of band updates for critical problems. Apple just sorta waits until the patch is 100MB or so and then releases it. If there was some pattern to Apple’s releases few would worry, even if the pattern was “Patches this month: None.”

  • dukrous:

    @ADMIN: Google patched the exploit within a week of learning about the problem and rolled it into the Cupcake patch. See source here: http://technologizer.com/2009/07/30/your-phone-is-probably-vulnerable-to-malicious-text-messages.

    Also, this patch was fixed in WinMo 6, so Apple’s iPhone was the last platform this was fixed on.

  • But who’s going to target Android phones? :)) As a target, the iPhone and Android are equivalent to Windows and the Mac five years ago 🙂

    Okay, let’s just say that, given Apple’s track record in security matters, I just don’t find anything worthy of “eating crow” in those comments. They’re more of a matter of opinion. I still do think that taking six weeks (according to http://news.cnet.com/8301-27080_3-10299378-245.html ) to fix a “memory corruption bug” is too long (it’s not like they had to organize a wide beta test; they didn’t).

    It’s mostly the fact that they released the fix on the same day the vulnerability was demonstrated that grates me. There’s no way it doesn’t mean they could have released it earlier if they’d been more reactive.

  • (I meant to say “taking six weeks to fix a memory corruption bug that has such dramatic consequences”)

  • LunaticSX:

    Could it be that Apple had the patch ready beforehand, but they wanted to be sure that there weren’t any last minute “gotchas” added on to the demonstration of the bug that they HADN’T been informed of?

    Look at it this way:
    1. Apple patches the bug before the security researcher demonstrates it
    2. The security researcher no longer has the original exploit to demonstrate in his planned session, so what does he do?
    3. Well, there’s nothing as sensational as an iPhone exploit, so he:
    A) Bangs on Apple’s patch beforehand to try to break it, so he can one-up Apple
    B) Has another iPhone security exploit in his pocket to reveal. It may not be as big, it may not be as well researched, but hey, he’s gotta please the crowd who came looking for blood, right? Probably it’s something he hasn’t told Apple about, yet, becaus he hadn’t finished researching it. Due to that, he doesn’t actually demonstrate it; but now the word is out and others who truly wish to use it maliciously could figure it out without Apple having advance warning.

    It actually makes sense that if Apple couldn’t release the patch significantly before the demonstration of the exploit that they waited until RIGHT AFTER.

  • wilmox:

    Yes waiting to release a patch can be dangerous stuff and the media will be all over a company (reserved for Apple only) who fails to patch in a timely manner.

    From an article posted March 18 2009

    Exactly one year after a security researcher notified Microsoft of a serious security vulnerability affecting all supporting version of Windows (including Vista and Windows Server 2008), the issue remains unpatched and now comes word that there are in-the-wild exploits circulating.

    The vulnerability, called token kidnapping (.pdf), was originally discussed last March by researcher Cesar Cerrudo and led to Microsoft issuing an advisory with workarounds. Five months later (October 2008), Cerrudo released a proof-of-concept in an apparent effort to nudge Microsoft into patching but the company has not yet released a fix.

    Link to article here: http://infosecurity.us/?p=7203

Leave a Comment