It’s Time For an Apple Patch Tuesday

If there’s one thing that can be said about Apple, it’s that the company operates on its own timeline. It does what it pleases at whatever time suits it, and the customers appear. Actually, they don’t simply appear, they wait expectantly and move as one when asked. This has proven to be enormously profitable for Apple and quite satisfying for most of its customers. But the one area where this has not worked so well is security.

If there’s one thing that can be said about Apple, it’s that the company operates on its own timeline. It does what it pleases at whatever time suits it, and the customers appear. Actually, they don’t simply appear, they wait expectantly and move as one when asked. This has proven to be enormously profitable for Apple and quite satisfying for most of its customers. But the one area where this has not worked so well is security.

This week has been the perfect example of how things have gone sideways for Apple on security. In the space of two days, the company has pushed out a new version of iTunes, a new version of iOS for the iPhone and iPad, and a new version of Mac OS X. Each of these releases included a huge number of security updates, some of which are critical fixes for problems that had been identified weeks or months earlier. For example, iOS 5, released on Wednesday after much anticipation, included 95 security updates. One of these was a fix that removed the DigiNotar root certificates from the list of trusted roots on iOS, something that all of the major browser vendors–including Apple–had done weeks earlier in their desktop versions due to the seriousness of the compromise of the DigiNotar CA infrastructure. But the company wasn’t able to get an iOS update out to fix the problem until this week, more than a month after the first news of the DigiNotar attack came out.

Similarly, Apple used this week’s massive updates for most of its devices to fix several dozen known vulnerabilities in the WebKit framework on which Safari is based. Many of the bugs in the framework were serious memory corruption vulnerabilities that could lead to remote code execution. That doesn’t include the variety of other vulnerabilities in components of iOS, iTunes and OS X that the company patched in the various applications. 

What became clear in all of the mess this week is that it’s time for Apple to join the modern world and set up a regular patch schedule. Whether it’s a monthly release the way that Microsoft does it, or a somewhat less-frequent schedule, maybe every other month, doesn’t matter much. What’s important is that Apple give its users some idea of when they can expect security fixes for existing problems.

The issue isn’t just that Apple doesn’t have a predictable schedule for releasing patches, although that’s a big part of it. What’s just as problematic is the company’s almost complete lack of communication on security issues. When a major issue such as the DigiNotar compromise or the BEAST SSL attack arises, many of the large software makers affected will put out some kind of statement, blog post or other message letting users know that they’re aware of the problem and are working on a fix or workaround. Microsoft, Adobe, Mozilla and others have established processes for doing this and it’s rare now that customers are left wondering whether one of these companies is aware of a given problem and when a patch might be available. It’s become a given that the communication will occur, and usually fairly quickly.

Apple doesn’t do any of this. Perhaps this is simply an extension of Apple’s legendary secrecy and reticence about virtually every aspect of the company’s operations. It’s likely that there is less information available about Apple than any other publicly traded company in the country. It’s the flip side of the Google default-open attitude. Being closemouthed about your product and marketing plans is often a shrewd move, especially in today’s ultra-competitive atmosphere. But that kind of posture doesn’t do users any favors when they’re looking for information on how to keep themselves safe from ongoing attacks. It just leaves them adrift without any clear answers.

As a result of its radio silence, Apple also lacks a clear voice on security. It has never had a public spokesman or security lead who has taken on the task of making it clear what the company’s thoughts and stances are on various security issues. Instead, it remains on the periphery of the community and does none of the outreach that other large companies do.

The odd thing about Apple’s lack of communication and haphazard patching schedule is that it really wouldn’t take much effort to fix it. The simplest thing the company could do right now is to just set up a security blog and post updates on known vulnerabilities and when customers can expect a fix. Of course, that would require that Apple also establish a schedule for fixes, but that’s not hard either. Even if it were a quarterly schedule, that predictability would be a major step forward. Right now, users have to comb through long knowledge base articles buried in the support section of Apple’s site in order to find information on security content in any software update. Those updates arrive at random intervals, and as Apple’s user base continues to expand in the enterprise, this lack of a schedule becomes less workable.

Enterprise adoption of Macs and iPhones makes security for these devices a high priority, and just as pressure from large customers helped push Microsoft down the path to Trustworthy Computing years ago, perhaps it will take some plain talk from some of Apple’s more important customers to get the ball rolling there. However it happens, it needs to happen soon. Because right now Apple’s customers are being kept in the dark on security, and that’s just not good enough anymore.

Suggested articles

Discussion

  • Anonymous on

    Fanboy's and trolls in 3, 2, 1.......

  • Anonymous on

    Glad someone is telling the truth about Apple's terrible security.    Safari makes a Mac easier to own than a Windows box.

  • Anonymous on

    You can't have meant Apple's "legenday secrecy and rectitude" as "rectitude" means "moral uprightness".  I looked it up.  I don't get "moral uprightness" out of any of Apple's behaviors.  "Reticence"?  meaning reserve?  Sure.

  • Randy Grein on

    A bit of 'trolling for comments' here. Apple hasn't been at the forefront of working with the security community, it's true. It is also true that the security community, like the rest of IT tends to beat on Apple pretty hard - regardless of the relative security needs. Apple has not needed to produce a schedule for updates because the user base is overwhelmingly NOT IT, even when it is corporate. Updates happen automatically when they are released, and as we have little coordination to do.  Finally, it is also true that Apple users (not fanbois) have a much lower risk profile. That is, most of us take reasonable precautions (including not rattling the black hats if we can avoid it) and enjoy a trouble free computing life.

    I don't expect that to last much longer. Apple will have to step up a bit to stay ahead. Better communication, sure. Quicker response on patches, absolutely. But a month-long patch cycle for the convvenience of IT? Naw, we're just not there.

  • Anonymous on

    Considering a large proportion of their marketing has been based on quotes like this

    "It doesn’t get PC viruses.

     

    A Mac isn’t susceptible to the thousands of viruses plaguing Windows-based computers. That’s thanks to built-in defenses in Mac OS X that keep you safe, without any work on your part."

    I can understand why there isn't much communication about security issues. Especially since a lot of consumers seem to have interpreted as Macs being completely invincible to all web nasties and use this as a justification for their purchase.

    This quote on Apple's security page explains why there is no communication:

    "For the protection of our customers, Apple does not disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases are available."

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.