Mac App Store exposes users to security risks, claims researcher

Filed Under: Apple, Vulnerability

The Mac App Store's current version of OperaIf you are using the Apple Mac App Store you might be putting your computer's security at risk.

That's the finding of security researcher Joshua Long who has warned that the App Store has not published the latest versions of various applications, despite the fact they can include critical security updates.

Here's part of Long's warning:

Third-party Web browser maker Opera has released version 11.11 of its software, which fixes a "critical" security issue.

Mac users who have downloaded Opera through the App Store may find themselves using a copy of Opera that is now two versions old, 11.01, which was released back in March and is vulnerable to the security bug patched in 11.11.

Users who rely on the App Store to tell them whether their software is up-to-date may not be aware of the security risks and may continue to use an unsafe version of the Opera browser.

Opera on the Mac App Store

Long says that he contacted Apple and Opera about the issue. Opera replied saying that they were waiting on Apple to approve the next version of Opera for Mac (Apple's approval is necessary before anything gets posted in the Mac App Store).

Apple's promotion of App Store updatesPut in simple terms, Apple seems to be falling short of the promise it makes in its promotion of the App Store that it "keeps track of your apps and tells you when an update is available" and that "you'll always have the latest version of every app you own."

And, it appears, that Opera is not the only application in the Mac App Store that is out-of-date and might be vulnerable to security flaws. Long points out that Amazon's Kindle app in the App Store, for instance, hasn't been updated since January.

So, the key question is, how quickly is Apple going to approve the latest Opera update, and other software which might have been updated to secure against critical security vulnerabilities, for the App Store?

Because if Apple can't update software containing critical security patches to the App Store in a timely fashion, users might be wiser getting their software via a more conventional route - such as (in the case of Opera) a direct download from the vendor's own website.

Read more about the App Store issue in the article posted by Joshua Long on of security researcher Joshua Long who has The JoshMeister blog.

, , , ,

You might like

3 Responses to Mac App Store exposes users to security risks, claims researcher

  1. I'd like to see the App store connect to normal Apple Update notices, plus scan all things purchased in the App store for updates. Expecting most users to open the App store when they aren't shopping for new things seems unrealistic.

  2. Stig Rudeholm · 1599 days ago

    Paul Graham wrote about this all the way back in november of 2009:

  3. dave · 1598 days ago

    That was the stupidest post I've read in a while. Every resold software package on earth large or small from any vendor is downloaded needing a minor update. Crap, my new computer needed a minor update long before I brought it home, while Windows updates its sorry ass practically every day.

    To say that the App Store delivers vulnerable software is a narrowly lensed commentary on the entire software reseller structure, and has nothing to do with the app store itself.

    Incredibly stupid post that would never have gained any traffic if it did not reference the Apple brand.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley