Former Employee Criticizes Apple’s Security Patching Practices

| Analysis

Kristen Paget, a security expert who left Apple for Tesla in January, unloaded on her former company for its security patching practices. In a blog post, Ms. Paget noted that Apple identified and patched a myriad of security flaws in Safari for OS X on April 1st, but left those same identified security flaws open in iOS until the release of iOS 7.1.1 three weeks later.

Kristin Paget

Kristin Paget's Former Twitter Pic

"Is this how you do business?" she asked in the blog post. "Drop a patch for one product that quite literally lists out, in order, the security vulnerabilities in your platform, and then fail to patch those weaknesses on your other range of products for *weeks* afterwards? You really don’t see anything wrong with this?"

Ms. Paget joined Apple in late 2012, a move that was heralded as part of Apple's commitment to improving the security of its software. Since leaving the company a bit more than a year later, she has been quite vocal in her criticism of Apple's handling of security issues, though only on matters that arose after her departure.

In this newest example, Ms. Paget's point is that not only did Apple leave a variety of security flaws in iOS for three weeks, it did so after fully identifying those specific flaws for all the world—including the bad guys—to see and potentially exploit.

"Someone tell me I’m not crazy here," she wrote. "Apple preaches the virtues of having the same kernel (and a bunch of other operating system goop) shared between two platforms – but then only patches those platforms one at a time, leaving the entire userbase of the other platform exposed to known security vulnerabilities for weeks at a time?"

"In what world is this acceptable?" she asked.

It's a valid question, and it's coming from someone intimately familiar with Apple's internal approach to these issues. With malicious hacking on the rise, an increase in criminal organization utilizing hacker skills, and even governments getting in on the action, it's imperative that Apple make its platforms as safe as they can be.

Ms. Paget points out that this may not be the case, and if that's so, it's a very good thing for us to be aware of, for the issues to be brought out into the spotlight so that Apple can fix it.

[Via InfoWorld]

Sign Up for the Newsletter

Join the TMO Express Daily Newsletter to get the latest Mac headlines in your e-mail every weekday.

Comments

Brian M. Monroe

While I do agree that patches should happen as soon as possible I do think that when we are talking about computer security and software in general you have to weight what the risks are versus the urgency of getting them out the door and not breaking something else in the process. Also, as these events happened after she left, how is she to know what was on Apple’s plate to get done that was more critical? Also, we need to have perspective here because Apple has been quite quick to patch and update their systems in comparison to other platforms like Windows and Android were some users either do not get patched at all or are not able to because their version of the OS is old and no longer supported.

ibuck

IMO Paget makes good points, and Apple needs to do better.  A lot of Apple hardware and software updating seems to be fairly slow these days. Makes you wonder if Apple has pulled a lot of staff off those tasks to focus on new products/categories about to be birthed. Yet, even if true, security is pretty darn important.

geoduck

Lets see,
The OS-X group was working on a patch and the iOS group was working on a patch.
Apple could release each as soon as it was ready, and get criticized for leaving the other vulnerable.
or
Apple could;d wait until both were done and release them simultaneously, and get criticized for not patching them sooner.

Damned if you do and damned if you don’t

Lee Dronick

This story gave me an idea for an Onion story. Let us turn it around with this headline

  Boss Criticizes Former Employee For Not Working Fast Enough
What happens next will blow your mind and renew your faith in humanity

Not that I am implying that Ms. Padget was a poor workwer,  just that things can be more complicated than when seen from one angle.

BurmaYank

Geoduck said: “Apple could wait until both were done and release them simultaneously, and get criticized for not patching them sooner. - Damned if you do and damned if you don’t”

??? said: “Apple could wait until both were done and release them simultaneously, and get criticized for not patching them sooner.

Damned if you do and damned if you don’t”

As I read the article, Geoduck, what Apple actually did was neither:
“...not only did Apple leave a variety of security flaws in iOS for three weeks, it did so after fully identifying those specific flaws for all the world—including the bad guys—to see and potentially exploit.”
Instead of doing either, Apple could have released the first completed patch with no elucidation, and held its breath, hoping no reverse-engineering bad guys could discern what that patch was fixing, until the release of the later patch finally allowed Apple to announce everything - & Apple would surely never have been damned for that.

 

BurmaYank

Byan, Dave, all youse TMO guys! When ya gonna re-enable TMO comment-editing, focryinoutloud!!!

BurmaYank

IMHO, what Apple did was much worse than withholding the patch.

BurmaYank

(OK, let’s see what typing “[/b}” does to the rest of these comments.)

Lee Dronick

BurmaYank, I think that I just closed it for you. On yours there was on square bracket and one curly.

It is a bit of a hassle to to do BBEdit on my iPad because you need to drill down several keyboards to get to the square brackets. I have done two things to help with that. Mostly I use blockquote and have a keyboard shortcut set zxz will type open quote and close quote with some space charcters between them, then I paste the text in. I have a Pages document of BBEdit code, I can copy and paste from that.

BurmaYank

Yup - that did the trick!

Thanks, & thanks for the good tip,

Terrin

Honestly, I can’t get over the part where she left after a year of being at Apple. To me it seems like she has a personal axe to grind with Apple. That doesn’t necessarily mean her view is invalid, but I agree with others who point out it was a damned if you do damned if you don’t situation. Just because the vulnerabilities were available on both platforms and Apple patched one doesn’t mean it was telling the world the exploit still existed on the other platform.

freediverx

@BurmaYank wrote:
“what Apple actually did was neither… Apple could have released the first completed patch with no elucidation, hoping no reverse-engineering bad guys could discern what that patch was fixing, until the release of the later patch finally allowed Apple to announce everything.”

And then they’d get criticized for their “secrecy”, with critics accusing them of trying to hide their security flaws instead of being transparent about them.

What other company out there is doing a better job than Apple in providing a secure system and patching it in a timely manner?

ctopher

This is not the first time she’s been critical of Apple, there’s the February 23, 2014 post that was much the same. Apparently, that post received some press because she her next entry responds to that exposure.

ctopher

Which you refer to right there in the article! Sorry for my lack of reading comprehension!

Log-in to comment