Security researcher Kristin Paget wrote a highly critical piece slamming Apple for delaying a patch for iOS that had already been issued for Safari and OS X, leaving mobile users at risk from attackers executing arbitrary code if the user mistakenly browsed a malicious website.
“Apple just released iOS 7.1.1, which contains a bunch of security fixes for a wide range of things. Of particular interest is the list of issues they fixed in WebKit,” Paget wrote. “But clearly the iOS vulnerabilities they just fixed are a direct subset of the vulnerabilities they fixed 3 weeks ago.”
Paget, formerly with Apple and now working with Tesla Motors, noted that multiple vulnerabilities fixed in this week’s iOS 7.1.1 update were the same that had already been addressed in the April 1st releases for Safari 6.1.3 and 7.0.3 for OS X.
“Is this how you do business? Drop a patch for one product that quite literally lists out, in order, the security vulnerabilities in your platform, and then fail to patch those weaknesses on your other range of products for *weeks* afterwards? You really don’t see anything wrong with this?”
Paget likens the release of patches for some products while leaving others vulnerable to exploitation akin to Apple using OSX to drop zero-day on iOS, and then compounding the matter further by not alerting users to the risks.
“Apple preaches the virtues of having the same kernel (and a bunch of other operating system goop) shared between two platforms – but then only patches those platforms one at a time, leaving the entire userbase of the other platform exposed to known security vulnerabilities for weeks at a time?” Paget continued. “In what world is this acceptable?”
Read More Here…