Apple is mismanaging security, and its quality assurance and attention to detail have gone to hell. Apple followed up the worst security botch ever—not securing the root account on High Sierra for 73 days—with what may be the second worst security botch ever. Namely, Apple didn’t correct the widely accepted misunderstanding that its AirPort routers were not afflicted with the KRACK Wi-Fi exploit. Some might call that a lie of omission. And oh yea, and it took them 57 days to fix it.
Worst Security Botch Ever: TLDR No Root Password
In what could only be described as the worst security blunder in the history of commercial computing, Apple released macOS High Sierra on September 25, 2017. Unknown to users, included in that operating system was that no password was required to gain super user root access. This might be likened to leaving your front door open with a sign that says “Please, please rob me.”
If that were not bad enough, the we-dont-need-no-steenkin-root-password episode was followed by an update that patched that blunder on November 29, 2017. That was followed by another update, 10.13.1, on December 4, 2017, that undid the fix. That was followed by a “WTF is the state of my machine” week of no clarity. And then that was followed, finally, with a 10.13.2 update on December 6, 2017 fixing the mess.
In other words, Apple shipped an operating system where the root account was insecure for 73 days. And from the time the vulnerability was announced, Apple bumbled for a full week before managing to close the vulnerability.
They Keystone Cops of Cupertino have decided to make it clear to the world, that in comparison, Microsoft—even in its hey day—were a bunch of rank amateurs in blundering security. To prove Apple’s, now, undisputed status, I present you with the Apple KRACK debacle
Second Worst Security Botch Ever? The Apple KRACK Debacle
In October, Wi-Fi experienced the uncovering of, perhaps, its greatest ever security vulnerability with the KRACK exploit. A few router manufacturers came out with patches on day 1, while most vendors provided clear announcements that they would supply patches in short order.
Apple provided information to iMore, who reported that Apple routers were not vulnerable to the KRACK exploit. In short, Apple’s position regarding its routers seemed to be: “we-dont-need-no-steenkin-patches.” Now, 2 months later, Apple released a patch for the KRACK exploit after allowing the world to believe its routers weren’t vulnerable to KRACK.
We really need to take a pause here—a moment of silence if you will—where you, dear reader, can imagine a dripping scatological screed of deep guttural derision and exasperation. ARE YOU KIDDING ME! YOU CANNOT BE SERIOUS! How could Apple let users believe their routers were invulnerable to such a serious exploit for so long?
So here are a few possibilities of how this might have happened:
- Apple’s routers were indeed invulnerable, but it still released a patch for the KRACK vulnerability, which doesn’t make much sense.
- Apple believed that its client devices might not be vulnerable, and as such, it didn’t matter that its router was vulnerable. That doesn’t excuse not informing users of a vulnerability that would still affect non-Apple client devices (e.g., your Android devices, Internet of Things, PCs, Xboxes, etc.) working through the un-patched Apple routers.
- Apple allowed this misrepresentation of its routers’ invulnerability to KRACK to persist knowing otherwise.
- Apple was so grossly incompetent as to not realize their routers were vulnerable.
Regardless of which above theory you subscribe to, it does not speak well of how Apple handled this.
Apple Needs To Get Serious About Quality Assurance & Security
What’s sad is the above is not the extent of all Apple’s recent security/bug snafus. Many of these lapses simply evince a profound lack of caring. Apple needs to get super serious about quality assurance and security, and quick. The company should consider creating something like a ‘Senior VP of Quality Assurance and Security’ role. And it must get someone who really knows the field to add much needed attention to detail and quality control. It is clearly and sorely needed without Steve Jobs’s exacting eye.
Right now, the best way to describe Apple security is “total $%*@ show.” With regard to the Airport KRACK vulnerability, at best, it’s a disaster of miscommunication. At worst, it’s blithe incompetence.