It's Time For an Apple Patch Tuesday

Type threatpost
Reporter Dennis Fisher
Modified 2013-04-17T16:33:36


If there’s one thing that can be said about Apple, it’s that the company operates on its own timeline. It does what it pleases at whatever time suits it, and the customers appear. Actually, they don’t simply appear, they wait expectantly and move as one when asked. This has proven to be enormously profitable for Apple and quite satisfying for most of its customers. But the one area where this has not worked so well is security.

This week has been the perfect example of how things have gone sideways for Apple on security. In the space of two days, the company has pushed out a new version of iTunes, a new version of iOS for the iPhone and iPad, and a new version of Mac OS X. Each of these releases included a huge number of security updates, some of which are critical fixes for problems that had been identified weeks or months earlier. For example, iOS 5, released on Wednesday after much anticipation, included 95 security updates. One of these was a fix that removed the DigiNotar root certificates from the list of trusted roots on iOS, something that all of the major browser vendors–including Apple–had done weeks earlier in their desktop versions due to the seriousness of the compromise of the DigiNotar CA infrastructure. But the company wasn’t able to get an iOS update out to fix the problem until this week, more than a month after the first news of the DigiNotar attack came out.

Similarly, Apple used this week’s massive updates for most of its devices to fix several dozen known vulnerabilities in the WebKit framework on which Safari is based. Many of the bugs in the framework were serious memory corruption vulnerabilities that could lead to remote code execution. That doesn’t include the variety of other vulnerabilities in components of iOS, iTunes and OS X that the company patched in the various applications.

What became clear in all of the mess this week is that it’s time for Apple to join the modern world and set up a regular patch schedule. Whether it’s a monthly release the way that Microsoft does it, or a somewhat less-frequent schedule, maybe every other month, doesn’t matter much. What’s important is that Apple give its users some idea of when they can expect security fixes for existing problems.

The issue isn’t just that Apple doesn’t have a predictable schedule for releasing patches, although that’s a big part of it. What’s just as problematic is the company’s almost complete lack of communication on security issues. When a major issue such as the DigiNotar compromise or the BEAST SSL attack arises, many of the large software makers affected will put out some kind of statement, blog post or other message letting users know that they’re aware of the problem and are working on a fix or workaround. Microsoft, Adobe, Mozilla and others have established processes for doing this and it’s rare now that customers are left wondering whether one of these companies is aware of a given problem and when a patch might be available. It’s become a given that the communication will occur, and usually fairly quickly.

Apple doesn’t do any of this. Perhaps this is simply an extension of Apple’s legendary secrecy and reticence about virtually every aspect of the company’s operations. It’s likely that there is less information available about Apple than any other publicly traded company in the country. It’s the flip side of the Google default-open attitude. Being closemouthed about your product and marketing plans is often a shrewd move, especially in today’s ultra-competitive atmosphere. But that kind of posture doesn’t do users any favors when they’re looking for information on how to keep themselves safe from ongoing attacks. It just leaves them adrift without any clear answers.

As a result of its radio silence, Apple also lacks a clear voice on security. It has never had a public spokesman or security lead who has taken on the task of making it clear what the company’s thoughts and stances are on various security issues. Instead, it remains on the periphery of the community and does none of the outreach that other large companies do.

The odd thing about Apple’s lack of communication and haphazard patching schedule is that it really wouldn’t take much effort to fix it. The simplest thing the company could do right now is to just set up a security blog and post updates on known vulnerabilities and when customers can expect a fix. Of course, that would require that Apple also establish a schedule for fixes, but that’s not hard either. Even if it were a quarterly schedule, that predictability would be a major step forward. Right now, users have to comb through long knowledge base articles buried in the support section of Apple’s site in order to find information on security content in any software update. Those updates arrive at random intervals, and as Apple’s user base continues to expand in the enterprise, this lack of a schedule becomes less workable.

Enterprise adoption of Macs and iPhones makes security for these devices a high priority, and just as pressure from large customers helped push Microsoft down the path to Trustworthy Computing years ago, perhaps it will take some plain talk from some of Apple’s more important customers to get the ball rolling there. However it happens, it needs to happen soon. Because right now Apple’s customers are being kept in the dark on security, and that’s just not good enough anymore.