Former Employee Criticizes Apple's Security Patching Practices

Kristen Paget, a security expert who left Apple for Tesla in January, unloaded on her former company for its security patching practices. In a blog post, Ms. Paget noted that Apple identified and patched a myriad of security flaws in Safari for OS X on April 1st, but left those same identified security flaws open in iOS until the release of iOS 7.1.1 three weeks later.

Kristin Paget

Kristin Paget's Former Twitter Pic

"Is this how you do business?" she asked in the blog post. "Drop a patch for one product that quite literally lists out, in order, the security vulnerabilities in your platform, and then fail to patch those weaknesses on your other range of products for *weeks* afterwards? You really don’t see anything wrong with this?"

Ms. Paget joined Apple in late 2012, a move that was heralded as part of Apple's commitment to improving the security of its software. Since leaving the company a bit more than a year later, she has been quite vocal in her criticism of Apple's handling of security issues, though only on matters that arose after her departure.

In this newest example, Ms. Paget's point is that not only did Apple leave a variety of security flaws in iOS for three weeks, it did so after fully identifying those specific flaws for all the world—including the bad guys—to see and potentially exploit.

"Someone tell me I’m not crazy here," she wrote. "Apple preaches the virtues of having the same kernel (and a bunch of other operating system goop) shared between two platforms – but then only patches those platforms one at a time, leaving the entire userbase of the other platform exposed to known security vulnerabilities for weeks at a time?"

"In what world is this acceptable?" she asked.

It's a valid question, and it's coming from someone intimately familiar with Apple's internal approach to these issues. With malicious hacking on the rise, an increase in criminal organization utilizing hacker skills, and even governments getting in on the action, it's imperative that Apple make its platforms as safe as they can be.

Ms. Paget points out that this may not be the case, and if that's so, it's a very good thing for us to be aware of, for the issues to be brought out into the spotlight so that Apple can fix it.

[Via InfoWorld]