Why Is Apple Taking So Long to Patch Mac OS X?

The bad bit of code.

Apple isn’t a forthcoming company when it comes to communicating with the public. Its executives only like revealing information via carefully choreographed public events, or curt press releases. An old joke in tech journalism goes like this: if you need a comment from Apple, you can send its PR people an email and immediately write “No comment” in your blog posting or article, because they’ll never get back to you.

(That last bit is a bit of an exaggeration: Apple does get back to reporters, albeit with short statements that reveal as little as possible.)

When it comes to releasing products, that sort of secrecy’s expected. But Apple has a very big problem this week, caused by a bug that renders encryption for iOS 6 and 7, as well as Mac OS X 10.9, virtually useless—and the company has yet to issue a fix for Mac OS X, or release a press release or posting that warns users of the danger.

Instead, Apple pushed out a patch for iOS, and left it to dozens of tech reporters and security researchers to frantically warn their Twitter and Facebook audiences of the bug still present in Mac OS X, which leaves the operating system unable to properly verify SSL certificates. In other words, a black-hat hacker or other nefarious character could come along, execute a Man in the Middle attack, and pose as your email or banking Website—at which point your personal information, as the kids like to say, could be hosed.

The bug “affects anything that uses SecureTransport, which is most software on those platforms although not Chrome and Firefox, which both use NSS for SSL/TLS,” wrote the researcher, ImperialViolet, who first made it public. “However, that doesn’t mean very much if, say, the software update systems on your machine might be using SecureTransport.”

The bad code is two goto fail lines in a row, a quiet error. “I believe that it’s just a mistake and I feel very bad for whomever might have slipped in an editor and created it,” ImperialViolet added.

“I can’t blame Apple for the SSL bug, but their response has been pretty awful,” Christopher Soghoian, principal technologist of the ACLU’s Speech, Privacy and Technology Project, Tweeted Feb. 24. A few seconds later, he followed that up: “Congressional staff thinking of writing to Apple? Focus on their lack of timely warning to impacted users, not the source of the flaw itself.”

Meanwhile, Daring Fireball’s John Gruber bought an express ticket to Paranoia City with a Feb. 22 blog posting that suggested the NSA might have exploited the bug in order to access user data. He set out three pieces of information that a reader could use to draw that conclusion: a Tweet from Jeffrey Grossman suggesting that the SSL vulnerability began with iOS 6.0; the fact that iOS hit Apple devices in September 2012; and Edward Snowden’s leaked slide suggesting that the NSA had “added” Apple to its PRISM surveillance program in October 2012. “These three facts prove nothing; it’s purely circumstantial,” he wrote. “But the shoe fits.”

Gruber went further: “Conspiratorially, one could suppose the NSA planted the bug, through an employee mole, perhaps. Innocuously, the Occam’s Razor explanation would be that this was an inadvertent error on the part of an Apple engineer.” Whatever the cause, the NSA could have easily discovered the bug, and used it to hack iOS and, by extension, Mac OS X. That doesn’t mean Apple’s necessarily in collusion with the NSA; but it’s not outside the realm of possibility that the spy agency exploited the company’s mistake.

Either way, the cause of the bug is almost secondary at this juncture. What’s important is patching the vulnerability before too many people, unaware of the news, decide to do a little Web-surfing via the Safari browser on their Mac.

 

Image: Apple