mostly in English, sometimes in Deutsch

Apple patches Mac OS/X and then iOS – with ‘only’ three weeks delay inbetween. Shame on them.

Found at http://www.tombom.co.uk/blog/?p=492 – please read there.

 

Copy follows

 

 

Apple + Patching = You’re Doing It Wrong 😦

Apple just released iOS 7.1.1, which contains a bunch of security fixes for a wide range of things. Of particular interest is the list of issues they fixed in WebKit, which includes:

CVE-2013-2871 : miaubiz
CVE-2014-1298 : Google Chrome Security Team
CVE-2014-1299 : Google Chrome Security Team, Apple, Renata Hodovan of University of Szeged / Samsung Electronics
CVE-2014-1300 : Ian Beer of Google Project Zero working with HP's Zero Day Initiative
CVE-2014-1302 : Google Chrome Security Team, Apple
CVE-2014-1303 : KeenTeam working with HP's Zero Day Initiative
CVE-2014-1304 : Apple
CVE-2014-1305 : Apple
CVE-2014-1307 : Google Chrome Security Team
CVE-2014-1308 : Google Chrome Security Team
CVE-2014-1309 : cloudfuzzer
CVE-2014-1310 : Google Chrome Security Team
CVE-2014-1311 : Google Chrome Security Team
CVE-2014-1312 : Google Chrome Security Team
CVE-2014-1313 : Google Chrome Security Team
CVE-2014-1713 : VUPEN working with HP's Zero Day Initiative

What’s particularly interesting about this list is that is looks an awful lot like thelist of bugs fixed in Safari 7.0.3 on the desktop, which was released some 3 weeks ago on April 1st:

CVE-2013-2871 : miaubiz
CVE-2013-2926 : cloudfuzzer
CVE-2013-2928 : Google Chrome Security Team
CVE-2013-6625 : cloudfuzzer
CVE-2014-1289 : Apple
CVE-2014-1290 : ant4g0nist (SegFault) working with HP's Zero Day Initiative, Google Chrome Security Team
CVE-2014-1291 : Google Chrome Security Team
CVE-2014-1292 : Google Chrome Security Team
CVE-2014-1293 : Google Chrome Security Team
CVE-2014-1294 : Google Chrome Security Team
CVE-2014-1298 : Google Chrome Security Team
CVE-2014-1299 : Google Chrome Security Team, Apple, Renata Hodovan of University of Szeged / Samsung Electronics
CVE-2014-1300 : Ian Beer of Google Project Zero working with HP's Zero Day Initiative
CVE-2014-1301 : Google Chrome Security Team
CVE-2014-1302 : Google Chrome Security Team, Apple
CVE-2014-1303 : KeenTeam working with HP's Zero Day Initiative
CVE-2014-1304 : Apple
CVE-2014-1305 : Apple
CVE-2014-1307 : Google Chrome Security Team
CVE-2014-1308 : Google Chrome Security Team
CVE-2014-1309 : cloudfuzzer
CVE-2014-1310 : Google Chrome Security Team
CVE-2014-1311 : Google Chrome Security Team
CVE-2014-1312 : Google Chrome Security Team
CVE-2014-1313 : Google Chrome Security Team
CVE-2014-1713 : VUPEN working with HP's Zero Day Initiative

OK, so the desktop patch also included a few more issues – but clearly the iOS vulnerabilities they just fixed are a direct subset of the vulnerabilities they fixed 3 weeks ago. Apparently someone needs to sit Apple in front of a chalkboard and make them write out 100 lines:
“I will not use iOS to drop 0day on OSX, nor use OSX to drop 0day on iOS”.

Seriously, Apple – what the fuck?

Is this how you do business? Drop a patch for one product that quite literally lists out, in order, the security vulnerabilities in your platform, and then fail to patch those weaknesses on your other range of products for *weeks* afterwards? You really don’t see anything wrong with this?

Someone tell me I’m not crazy here. Apple preaches the virtues of having the same kernel (and a bunch of other operating system goop) shared between two platforms – but then only patches those platforms one at a time, leaving the entire userbase of the other platform exposed to known security vulnerabilities for weeks at a time?

In what world is this acceptable?

I’m starting a bounty. One thousand Defcoin and my eternal respect to the first person to cross-check the list of bugs fixed in iOS versus the list of bugs fixed in OS X, and draw a pretty graph (with supporting open-source data) of how many patches are missing on each platform compared to the other over time. Should be an interesting picture…

-K

Tagged as:

Categorised in: InEnglisch, Programming, Technology

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: