Does Apple care more about securing Mac users than iPhone users?
Posted on by Graham Cluley
In the last couple of days, Apple has issued critical security patches for iOS, Mac OS X, the Apple Airport Base Station, and even the innocuous hockey puck-shaped Apple TV.
And I trust, as a regular loyal reader of the Mac Security blog, that you haven’t wasted any time ensuring that all of your devices and gadgets are fully patched up, and protected from potential attack by hackers.
After all, some of the security flaws tackled by these patches are extremely serious – and could lead to your devices being compromised by malicious hackers, or your personal and private data being stolen.
But the list of patches above reveals just how many different types of consumer and business gadgets Apple’s security team needs to consider these days when a new flaw is discovered, and raises an important question:
Does Apple treat all of its products equally when it comes to security?
Sadly, it seems they don’t.
Take a look at this list of issues that Apple has just fixed in WebKit, the framework that underlies the Safari browser on iPhones and iPads, and the security holes it addressed in the OS X desktop/laptop version of Safari a full three weeks ago:
Do you see any similarities? Sure, the patch for desktop OS X users contains more fixes than the one for iOS users, but ignore that for now.
For those of you who haven’t spotted, I’ve shaded in the security holes that are shared between the Mac OS X and iOS versions of Safari in a fetching shade of blue.
In short, three weeks ago, when it released its security update for OS X, Apple told the world that there were critical security holes in its browser and provided fixes.
That would have been fine, if it had patched the same underlying vulnerabilities on the iPhone and iPad at the same time. After all, we know that hackers love nothing more than to reverse-engineer security patches and see if the same holes can be used elsewhere. But Apple *didn’t* patch iPhones and iPads at that point.
Instead, it left those iOS users vulnerable for three weeks.
And this isn’t a new phenomenon. Time and time again we have seen the iOS operating system used by Apple iPhones and iPads lagging behind – sometimes by months – when it comes to security updates compared to its big brother operating system, Mac OS X.
Security researcher Kristin Paget took to her blog to underline her disapproval of what appears to be Apple treating its millions of iPhone and iPad users as second class citizens, security-wise:
OK, so the desktop patch also included a few more issues – but clearly the iOS vulnerabilities they just fixed are a direct subset of the vulnerabilities they fixed 3 weeks ago. Apparently someone needs to sit Apple in front of a chalkboard and make them write out 100 lines:
“I will not use iOS to drop 0day on OSX, nor use OSX to drop 0day on iOS”.
Seriously, Apple – what the ****?
Is this how you do business? Drop a patch for one product that quite literally lists out, in order, the security vulnerabilities in your platform, and then fail to patch those weaknesses on your other range of products for *weeks* afterwards? You really don’t see anything wrong with this?
Paget is quite right.
A malicious hacker could have taken one of these patched OS X vulnerabilities, and weaponised it for exploitation in a zero-day attack against iPhone and iPad users.
Every time Apple treats its smartphone and tablet customers as poor relations when it comes to security, they are putting millions of users at risk.
As we’ve explained before on the Mac Security blog, there are multiple ways in which malicious hackers and cybercriminals can target your systems, so remember the importance of a layered approach to security.
One of the layers is regularly updating your software against vulnerabilities as patches become available. Sadly, it’s evident that you can be doing a faultless job in keeping your systems updated, but still be let down if Apple fails to fix iOS and OS X security issues simultaneously.