As you might expect, Apple is getting a lot of grief from some critics over the alleged failure to deliver a fix to the notorious SSL/TLS bug in a timely fashion, particularly for OS X. The iOS updates came out last Friday; the OS X update, folded in with 10.9.2, was released on Tuesday.
But it didn’t come soon enough for some.
One security writer, who doesn’t earn a link, states, “I have been waiting, these last several days, for the Mac update to come out, because we knew from early on that OS X 10.9 was vulnerable.”
So does “early on” mean when OS X Mavericks was released last October? And if that was indeed the case, why wasn’t he lobbying for the fix then, or at least quietly deliver the evidence to Apple, rather than deliver a case of sour grapes because the update didn’t arrive as fast as he would have liked?
His conclusion is that, since the defect involved a single line of mistakenly duplicated code, it was trivial to repair. The fix? Remove the line of code and recompile.
In theory that seems to make perfect sense, but making even simple updates to a sprawling OS, such as OS 10.9, may seem simple. In the real world it’s decidedly less so. Even if the fix seems ultra simple, it has to be tested on all the installers Apple uses for those updates — and the full installation — and checked to determine there are no other problems, and that the fix itself doesn’t create other possibilities of mischief.
The implication here is that Apple deliberately held off this fix until the pressure of media attention forced them into it.
Clearly that doesn’t make a lick of sense. After all, a bug such as this makes everyone vulnerable, even Apple employees. Yes, Apple employees also faced the risk of having their bank accounts and other secure accounts hacked. They also faced the risk of possibly losing money as a result, so why would they deliberately put off a fix of this sort? To salvage someone’s damaged ego?
Hardly, because OS X and iOS updates routinely contain a number of security fixes. This is par for the course in this business, and it’s very possible a security leak can remain undetected for months or years until it is discovered, often by an independent party. That’s true even for something that, on the surface, appears to be as simple as the SSL/TLS or “gotofail” issue. Indeed, sometimes the simple becomes complicated by being overlooked.
Understand I do not presume to know whether Apple was aware about this bug for months, weeks, or days. Indeed the first word of it came from — Apple — when they released the iOS 7.0.6 and iOS 6.1.6 updates, and it was announced that OS X was similarly impacted. The revelation didn’t come from disgruntled security columnists, or those who otherwise wanted to use the occasion as a means to attack Apple.
True, Apple hasn’t always been as forthcoming as they should be about security bugs, and some suggest that they take too long to release critical fixes, often waiting to roll them into a larger release of one sort or another.
Consider the “Flashback Trojan,” discovered in 2011 by Dr. Web, a Russia-based antivirus company. Although as many as 600,000 Macs were allegedly infected in the ensuing months, Apple didn’t address the bug until April 3, 2012.
At the end of the day, however, it wasn’t Apple’s bug. It was the result of an exploit discovered in Oracle’s Java, which Apple maintained on the Mac platform. However, a lot of things happened in the wake of the Flashback debacle. First and foremost, Apple turned off the Java Applet, by default, to protect you against the Trojan. Oracle has also begun to distribute a Mac version of Java, which contains the latest and greatest code and is regularly updated.
However, some apps still require Java, and OS X will deliver a link to an installer of an Apple version on first launch. One of the Java apps I use regularly, CrashPlan, an online backup tool, is now bundled with Java, so this step is no longer needed.
But if you want to complain, let me give you a genuine example: Although this fact is presented as a new development in yet another lurid headline about Mac security, it dates back to last year, when Apple quietly stopped releasing security updates for OS X Snow Leopard.
In theory that would seem to be a sensible move, since Snow Leopard, or 10.6, was released in 2009, which is positively ancient in OS X terms. However, close to 20% of Mac users still run it, largely for two basic reasons. First is that their Macs aren’t compatible with latest OS X versions. Just as important is the fact that Apple ditched the Rosetta utility as of OS 10.7 Lion, meaning you can no longer run PowerPC apps. That is a deal breaker, particularly for those who still need to use apps that will never be upgraded for Intel.
So I suppose it makes sense to argue that Apple should dedicate some resources to supporting Snow Leopard, since most of the existing user base are stuck with it. The real question, however, is whether any of the unpatched security bugs are near as serious as the SSL bug that impacted OS 10.9. Probably not, but there’s still potential for abuse regardless.
Meantime, some members of the media will continue to fear monger about Apple’s response for the SSL/TLS bug. What they forget, however, is the motive.