Apple + Security & Privacy

Apple products, like all computers and software, are in a constant state of flux. Like every company, Apple issues updates to fix bugs, correct security vulnerabilities, and, in some cases, to enhance their products or add new features. Apple does this irregularly, unlike some companies such as Microsoft, whose “Patch Tuesday“, for example, is the second Tuesday of the month. This irregularity can cause a number of issues, especially within businesses, where IT managers can plan for “Patch Tuesday” but can never plan for Apple updates. With no clue as to when updates will occur, especially security updates, these people who manage large numbers of Macs can find it difficult to patch their computers on short notice. (See our previous post about whether Apple’s security update process is enterprise-ready.)

In addition to not being able to plan for updates, Apple has been notably reticent in communicating the contents of their updates. To be fair, this is not the case for security updates, or at least hasn’t been so since mid-2004, when Apple started thoroughly documenting security fixes (and we’ll get to another problem with security updates later). However, other updates, whether for Mac OS X, individual applications, or the iPhone, contain minimalist descriptions and release notes. For example, version 2.0.1 of the iPhone software – and this is an entire operating system – contained the following description:

Bug fixes

Not to be outdone, version 2.0.2, released two weeks later, contained exactly the same description.

As another example, look at a recent iTunes update, version 7.7.1. Its release notes said, “iTunes 7.7.1 includes fixes to improve stability and performance.” This is the case for most updates to Apple’s software. Now, most users don’t need to know exactly what has been changed in a given update, but developers and IT managers do need to know this information. (And it turned out that an AppleScript property in iTunes was changed; this doesn’t affect most users, but did affect AppleScripts that worked with iTunes.) Granted, members of Apple’s developer program have access to seeds of major operating system updates, but even these seeds don’t contain any detailed information. Developers, such as those at Intego, install these update seeds to test their software and ensure that it is compatible, but it can happen that they discover a problem with their software, and find it difficult to determine the exact cause, because release notes are so sparse.

There’s another problem with Apple’s security updates: Apple often takes way too long to release them. One recent example was Apple’s delay in fixing a serious DNS flaw, but Apple routinely drags its feet on issuing security fixes. Security researchers are increasingly going public with flaws they discover after waiting for Apple to patch them. Sometimes this is the only way to get the company to release an update. (In the security industry, when flaws are discovered, the person or company who discovers the vulnerability generally contacts the vendor first before releasing any information.)

So Apple has several problems with its updates: they are poorly documented, released with no schedule and no warning, and security fixes can be delayed for several months. Apple will need to improve this update procedure to become more usable in the enterprise market, where updates are essential and IT managers need more information than what Apple currently provides.