Kristin Paget, a security researcher who worked at Apple until a few months ago, took to her blog to criticise the company for messing up the schedule of patching security exploits across iOS and OS X.
Paget specifically talks about the recent iOS 7.1.1 software update, which, along with Touch ID improvements, also comes with a number of WebKit security fixes. As with every release, Apple listed out the security bugs they fixed, along with the description and discovery credit for each bug on a public webpage. It does so for other product updates as well, including Safari for OS X 7.0.3, that was released around three weeks ago.
Paget compared the security bug fixes in WebKit, the underlying rendering engine that powers Safari on both platforms, and found that the two lists share a number of common bugs that were patched. Except that the Safari for OS X list was out three weeks before, giving hackers a gold mine for exploiting Safari on iOS.
Apparently someone needs to sit Apple in front of a chalkboard and make them write out 100 lines: “I will not use iOS to drop 0day on OSX, nor use OSX to drop 0day on iOS”.
Is this how you do business? Drop a patch for one product that quite literally lists out, in order, the security vulnerabilities in your platform, and then fail to patch those weaknesses on your other range of products for *weeks* afterwards? You really don’t see anything wrong with this?
This isn’t the first time Paget has criticised Apple’s security practices. In February, Paget wrote a post titled “Dear Apple, FIX YOUR SHIT” criticising Apple for a similar goof-up, where it patched Go to fail on iOS, and let Mac remain vulnerable until OS X 10.9.2 was out.
Paget was hired by Apple in December 2012, and left the company in February this year to go to car-maker Tesla Motors. (All her posts were after she left Apple.)