Sophos Cloud Optix
Apple has been listening to Sophos Naked Security!
Half-listening, anyway.
We’ve been saying for some time – in articles and in podcasts – that Apple would do well to become both regular and frequent with its updates.
Regular means having some algorithmic predictability for non-emergency updates, such as “always on Tuesday.”
And frequent, in our book, means monthly or thereabouts.
Oracle updates quarterly, for example, which probably isn’t swift enough these days.
Microsoft famously does updates every month; Firefox updates every six weeks, which, coincidentally but happily for fans of Douglas Adams, is a 42 day cycle.
We’ll suggest six weeks as a minimum frequency, and Tuesdays as a regularity beacon, simply because people are used to Patch Tuesday.
Frequency means you get in the habit of not making your users wait for important fixes, and regularity means you get in the habit of never letting your coding-and-testing operations slip.
Anyway, Apple seems to be getting somewhere towards half way there.
You still can’t tell when you’re going to get your next update, but serious security fixes do seem to be coming more frequently these days.
Like the latest round of patches, published on 22 April 2014 (a Tuesday, as it happens) for Apple OS X, Apple iOS and Apple TV.
Apple TV goes from 6.1 to 6.1.1 and iOS goes from 7.1 to 7.1.1, while OS X versions keep their old numbers but receive Security Update 2014-002.
As with other recent OS X updates, only Lion (10.7), Mountain Lion (10.8) and Mavericks (10.9) get patches.
Dont shoot the messenger, but Snow Leopard (10.6) gets nothing, and is once again at least unofficially unsupported.
It’s possible, of course, that none of the patches are necessary on 10.6, just as there are fixes that apply only to 10.9 and aren’t needed on 10.7 and 10.8.
But at least some of the updates – for example, updates to third party open source components such as Ruby – look as though they aren’t tied to specific OS X versions.
Interestingly, the OS X Security Update also includes Safari 7.0.3, already delivered as an update of its own at the start of April 2014.
So if you skipped that Safari update, which wouldn’t have been wise given the number of remote code execution holes that were fixed (26 in all), you’ll catch up now.
The fixes in Safari 7.0.3 include patches for the remote code execution holes at the recent PWN2OWN competition in Vancouver, Canada.
Those fixes are now now also available to iOS and Apple TV users, with a big update to WebKit, the web rendering engine used in all of Apple’s browser versions, desktop and mobile.
Sadly, some of the security holes fixed in this round of updates have been present since last year, and probably should have been patched long ago, during previous updates.
The scripting language Ruby, for example, patched on OS X in this update, leaps forward from the June 2013 release to the February 2014 version.
The Ruby update closes a remote code execution hole, CVE-2013-4164, that was patched in Ruby itself back in November last year.
Mavericks users have received two lots of security patches since November 2013, with 10.9.1 arriving in December 2013 and 10.9.2 in February 2014.
Similarly, Lion and Mountain Lion users got Security Update 2014-011 in February 2014.
Why then, you have to wonder, was the Ruby patch made to wait so long?
Similarly, why was a critical bug in the sudo command ignored for at least six months by Apple in 2013, even though the bug made it possible for just about any user or process already on the system to grant itself root privileges at will?
Clearly, a regular and frequent update regimen alone wouldn’t solve this problem of laggy Apple patches, but it would provide a clear set of deadlines and target dates for Apple’s security team.
You have to think, “That would surely do no harm.”
By the way, we recommend applying this round of updates sooner, rather than later.
The patches fix multiple holes on all platforms, including some attacks that can be combined dangerously, such as bypassing Address Space Layout Randomisation (ASLR), escaping from sandbox protection, getting control of the browser with booby-trapped JPEG (image) files, and grabbing almighty system power from an otherwise unprivileged process.
A remote code execution bug that can be triggered by a web-borne image to give an external attacker administrative privilege…
…is about as patchworthy as it gets!
What Apple need to do is publish their end of life dates, not just let old versions drift away…
I think part of the problem is that Apple tend to wait until they have several security fixed lined up, and then package them together and put them out as one update. In contrast, Microsoft’s security and stability patches tend to be more granular – ironically, there are now fewer Service Pack releases than there were with previous Windows versions.
Given that Snow Leopard seems to have dropped off the list of supported versions of OS X, I’m wondering if the reason for the delay in Apple’s security fixes is due to having to do regression testing against several operating system release, moreso if you include the parts that are shared with iOS and Apple TV. Perhaps Apple will ‘solve’ this problem by starting to move support for Lion and Mountain Lion off stage left. This seems probable, given their moves to persuade as many people as possible to upgrade to Mavericks.
Oh, MS is really a beautiful example to follow in this field. #sarcasm
You can be as sarcastic as you like, but Apple would indeed do well to follow in Microsoft’s footsteps when it comes to patching.
Microsoft has delivered ever-more reliable, rapid and effective patches every month for ten years, with additional emergency updates as needed. Microsoft has also been pretty clear about end-of-life dates for its products.
“Microsoft has delivered ever-more reliable, rapid and effective patches every month for ten years, with additional emergency updates as needed.”
Since I have used and had to rely on both operating systems for many years, I feel that statement tells only part of the story – because the errors and glitches Microsoft is always working to patch are, by and large, far more serious and more frustrating than Apple’s. And some Window’s messes are not successfully patched for years, and persist through OS versions, e.g. deleted or moved desktop icons constantly reappearing on restart; damaged or “lost” user profiles, etc. etc.
To be clear: I am talking about security patches rather than functionality patches.
Also, if you are going to claim that Microsoft’s bugs are “far more serious” than Apple’s (at least from a security point of view), I feel you ought to offer some examples as evidence. Apple’s vulnerabilities seem serious enough to me – look, for example, at the CVEs I listed above patched in Mavericks alone this time. (JPEG file format vuln + kernel privilege escalation vuln + sandbox escape.)
Microsoft has had some bad holes, to be sure (the vulnerability used in the Stuxnet virus is a good example), but I am not convinced they are “by and large far more serious.” I think that’s a false sense of safety if you’re a Mac user.
Not sure how you jumped to the conclusion, from anything I said, that Mac users somehow suffer from “a false sense of security” although I do have an “impression” that Mac users enjoy a greater sense of contentment and satisfaction according to most surveys; but all these measures of how Mac users and Windows users and cross-platform users “feel” or “sense” are really simply subjective opinion, aren’t they? Really not something capable of being accurately measured, unless perhaps we would subject all computer users to taking something like the Minnesota Multiphasic Personality inventory, right? And what a monumental waste of time that would be.
I’m not jumping to that conclusion. I’m saying that if you make such a strong claim as that “Microsoft’s errors are far more serious”, then you run the risk of giving Mac users a sense that Apple’s security errors are in general less dangerous, and thus you may very well create a false sense of security. Such is the nature of better/worse comparisons, even if you meant to imply that Apple was indeed bad in absolute terms, but Microsoft merely worse.
So, since you’re on the topic of subjectivity: where’s your *objective* evidence that Microsoft needs to put out more patches because its software has “far more serious” flaws?
I’m not saying you’re wrong, but I don’t think you should expect me or anyone else to accept such a bold claim without evidence. I *think* I put that pretty clearly when I said above, “I feel you ought to offer some examples as evidence.”
Apple has communicted that it will support always the 3 most current versions of OS X. For now those are 10.7, 10.8 and 10.9. After the release of the next version (10.10; rumored to be released this October) the support for 10.7 will be dropped.
Ah! Good. Do you have a link for that communique, most importantly to the part that says versions more than 3 behind are *not* supported? I’ve really struggled to find an official “yes we do/no we don’t” message from Apple itself…
Please let me add some thoughts.I ran an iMac 2011 with 10.6.9 until last month.Apple installed an app through apple update that prompted me to install Mavericks as the security update for snow leopard.Rather do a clean install, and lacking time machine capability, I traded the old iMac at the Mac dealer for a tidy sum.There was no doubt In my mind support for snow leopard has ended.The Mavericks update is free as it is the security update. It should be plainly understood that support for snow leopard is over.It was supported for four years.Next year probably all will go except Mavericks.Thanks for letting me express my views here. I was a snow leopard user and also hated to see it go.