When Apple released iOS 9.2.1 earlier this week it fixed several bugs and security flaws, one of which the company knew about for two and a half years. That makes it look like Apple dropped the ball, but in this case it was more about needing some serious time to properly address the security flaw.
Apple knew about one of the security issues iOS 9.2.1 fixes 2.5 years ago
The issue was reported to Apple in 2013 by the security research company Skycure and related to the way iOS devices stored Web cookies related to captive portals. Attackers needed to create a public Wi-Fi network where they redirect victims to a website that triggers the iOS Captive Network embedded browser. The embedded browser shares Mobile Safari's cookie store, which is the in attackers need so they can load and execute their own malicious content.
iOS 9.2.1 changes how browser cookies are stored to avoid the issue, and so far there aren't any known instances where this attack is being used. The lack of an actual threat may have played into the long period between discovery and a patch, but that's only a small part in the bigger picture.
"We reported this issue to Apple on June 3, 2013. This is the longest it has taken Apple to fix a security issue reported by us," said Skycure's Yair Amit. "It is important to note that the fix was more complicated than one would imagine. However, as always, Apple was very receptive and responsive to ensure the security of iOS users."
We don't know exactly what Apple needed to do to patch the flaw, but it's clear it wasn't a trivial fix. It could've involved a major overhaul of the cookie storage code, or maybe even kernel-level changes. If Apple had to rewrite part of the kernel, it's possible the changes were significant enough that it took until iOS 9 was released before the flaw could be addressed.
That doesn't mean Apple hasn't dropped the ball in the past, but this time around it looks like the company needed over two years to figure out how to properly patch this flaw.