Apple + Security & Privacy

Does Apple care more about securing Mac users than iPhone users?

Posted on April 24th, 2014 by

Does Apple care more about securing Mac users than iPhone users?

In the last couple of days, Apple has issued critical security patches for iOS, Mac OS X, the Apple Airport Base Station, and even the innocuous hockey puck-shaped Apple TV.

And I trust, as a regular loyal reader of the Mac Security blog, that you haven’t wasted any time ensuring that all of your devices and gadgets are fully patched up, and protected from potential attack by hackers.

After all, some of the security flaws tackled by these patches are extremely serious – and could lead to your devices being compromised by malicious hackers, or your personal and private data being stolen.

But the list of patches above reveals just how many different types of consumer and business gadgets Apple’s security team needs to consider these days when a new flaw is discovered, and raises an important question:

Does Apple treat all of its products equally when it comes to security?

Sadly, it seems they don’t.

Take a look at this list of issues that Apple has just fixed in WebKit, the framework that underlies the Safari browser on iPhones and iPads, and the security holes it addressed in the OS X desktop/laptop version of Safari a full three weeks ago:

Security updates contained in
iOS 7.1.1, issued this week
Security updates in Safari 7.0.3 for OS X, released three weeks ago on 1 April 2014
CVE-2013-2871 miaubiz CVE-2013-2871 miaubiz
CVE-2014-1298 Google Chrome Security Team CVE-2013-2926 cloudfuzzer
CVE-2014-1299 Google Chrome Security Team, Apple, Renata Hodovan of University of Szeged / Samsung Electronics CVE-2013-2928 Google Chrome Security Team
CVE-2014-1300 Ian Beer of Google Project Zero working with HP’s Zero Day Initiative CVE-2013-6625 cloudfuzzer
CVE-2014-1302 Google Chrome Security Team, Apple CVE-2014-1289 Apple
CVE-2014-1303 KeenTeam working with HP’s Zero Day Initiative CVE-2014-1290 ant4g0nist (SegFault) working with HP’s Zero Day Initiative, Google Chrome Security Team
CVE-2014-1304 Apple CVE-2014-1291 Google Chrome Security Team
CVE-2014-1305 Apple CVE-2014-1292 Google Chrome Security Team
CVE-2014-1307 Google Chrome Security Team CVE-2014-1293 Google Chrome Security Team
CVE-2014-1308 Google Chrome Security Team CVE-2014-1294 Google Chrome Security Team
CVE-2014-1309 cloudfuzzer CVE-2014-1298 Google Chrome Security Team
CVE-2014-1310 Google Chrome Security Team CVE-2014-1299 Google Chrome Security Team, Apple, Renata Hodovan of University of Szeged / Samsung Electronics
CVE-2014-1311 Google Chrome Security Team CVE-2014-1300 Ian Beer of Google Project Zero working with HP’s Zero Day Initiative
CVE-2014-1312 Google Chrome Security Team CVE-2014-1301 Google Chrome Security Team
CVE-2014-1313 Google Chrome Security Team CVE-2014-1302 Google Chrome Security Team, Apple
CVE-2014-1713 VUPEN working with HP’s Zero Day Initiative CVE-2014-1303 KeenTeam working with HP’s Zero Day Initiative
CVE-2014-1304 Apple
CVE-2014-1305 Apple
CVE-2014-1307 Google Chrome Security Team
CVE-2014-1308 Google Chrome Security Team
CVE-2014-1309 cloudfuzzer
CVE-2014-1310 Google Chrome Security Team
CVE-2014-1311 Google Chrome Security Team
CVE-2014-1312 Google Chrome Security Team
CVE-2014-1313 Google Chrome Security Team
CVE-2014-1713 VUPEN working with HP’s Zero Day Initiative

Do you see any similarities? Sure, the patch for desktop OS X users contains more fixes than the one for iOS users, but ignore that for now.

For those of you who haven’t spotted, I’ve shaded in the security holes that are shared between the Mac OS X and iOS versions of Safari in a fetching shade of blue.

In short, three weeks ago, when it released its security update for OS X, Apple told the world that there were critical security holes in its browser and provided fixes.

That would have been fine, if it had patched the same underlying vulnerabilities on the iPhone and iPad at the same time. After all, we know that hackers love nothing more than to reverse-engineer security patches and see if the same holes can be used elsewhere. But Apple *didn’t* patch iPhones and iPads at that point.

Instead, it left those iOS users vulnerable for three weeks.

And this isn’t a new phenomenon. Time and time again we have seen the iOS operating system used by Apple iPhones and iPads lagging behind – sometimes by months – when it comes to security updates compared to its big brother operating system, Mac OS X.

Security researcher Kristin Paget took to her blog to underline her disapproval of what appears to be Apple treating its millions of iPhone and iPad users as second class citizens, security-wise:

OK, so the desktop patch also included a few more issues – but clearly the iOS vulnerabilities they just fixed are a direct subset of the vulnerabilities they fixed 3 weeks ago. Apparently someone needs to sit Apple in front of a chalkboard and make them write out 100 lines:

“I will not use iOS to drop 0day on OSX, nor use OSX to drop 0day on iOS”.

Seriously, Apple – what the ****?

Is this how you do business? Drop a patch for one product that quite literally lists out, in order, the security vulnerabilities in your platform, and then fail to patch those weaknesses on your other range of products for *weeks* afterwards? You really don’t see anything wrong with this?

Paget is quite right.

A malicious hacker could have taken one of these patched OS X vulnerabilities, and weaponised it for exploitation in a zero-day attack against iPhone and iPad users.

Every time Apple treats its smartphone and tablet customers as poor relations when it comes to security, they are putting millions of users at risk.

As we’ve explained before on the Mac Security blog, there are multiple ways in which malicious hackers and cybercriminals can target your systems, so remember the importance of a layered approach to security.

One of the layers is regularly updating your software against vulnerabilities as patches become available. Sadly, it’s evident that you can be doing a faultless job in keeping your systems updated, but still be let down if Apple fails to fix iOS and OS X security issues simultaneously.

About Graham Cluley

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats. Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security. Follow him on Twitter at @gcluley. View all posts by Graham Cluley →
  • http://islandinthenet.com/ Khürt L. Williams

    I can’t say I know the answer to this question. Could it be that because iOS is a mobile with a very different security architecture — only signed apps can be installed and each app is sandboxed etc. — that perhaps the risk is lower? Or perhaps given the larger installed based for iOS, the Apple security team takes more time to make sure fixes don’t break something?

    As I stated, I don’t know the answer.

  • Henry_3_Dogg

    So, if you knew anything about software development, you would know that the chance of the patches being ready for both platforms on the same day is negli geable.

    So are you suggesting that Apple should have withheld the patches from the MacOS community until they were also available for iOS.

    Because I’m certain that had they done that, then the article would have been accusing them of treading MacOS users as second class citizens

Join Our Awesome Email Newsletter

Enter your email address below to start receiving the best Mac Security Updates.

{"url":"\/marketo\/json\/add-to-newsletter","data":"list_name=Blog Roadblock"}