SANS Penetration Testing

Apple's Combined Patching

[Editor's Note: Still dithering on whether you should upgrade your iOS devices to version 6? Worried about sucky maps and other annoyances in the version that some people derisively refer to as "Apple's Vista"? Well, Josh Wright has some really good insight on the Apple patching and upgrade process. You've gotta read it. It has some solid practical advice for people not sure about whether to upgrade or skip this version and wait for something better. -Ed.]

By Josh Wright

With the release of Apple iOS 6, Apple announced the resolution of 197 security flaws on the Apple Product Security mailing list. Reading through the vulnerabilities is entertaining with flaws ranging from "Passwords may autocomplete even when the site specifies that autocomplete should be disabled" to "A person with physical access to the device may be able to bypass the screen lock" and many more.

To Apple's significant credit, they offer the only mobile device platform where users can reasonably expect several years of software updates and security flaw resolution. Android, Windows Phone and BlackBerry users all suffer from platform fragmentation, where the OS manufacturer may make an update available but is inaccessible due to restrictions imposed by the hardware manufacturer or the mobile operator. However, the Apple security resolution and patching process could stand some further improvement.

Apple makes a limited number of iOS updates each year, and these updates replace the entire iOS filesystem instead of making individual security fixes available as signed patches when the flaw is resolved. The result is that security flaws are not patched by Apple in a particularly timely manner, leaving users exposed to platform flaws until a new iOS version becomes available.

What's more, Apple integrates significant platform changes and security patches in a single update. For any other platform, security professionals reject this practice, since it does not allow us to effectively manage our business needs with security requirements.

Figure 1. Apple Maps, Photo Credit Jonathan Zdziarski

As an example, consider the new Apple Maps application in iOS 6. While the app has the trademark beauty of all Apple iOS applications, it is functionally deficient in many ways. End-users who rely on the old Maps application are hesitant to install iOS 6 to preserve the functionality they require with the legacy maps application. In the process, they continue to expose themselves to significant security flaws in iOS 5.1.1 and earlier.

Should users update to iOS 6? Yes. Should Apple work toward modular patching and vulnerability resolution? Yes. Should Apple separate functionality updates from security fixed? Yes. Am I holding my breath? No.




Posted May 18, 2013 at 7:52 AM | Permalink | Reply


I am so excited with Apple's release of iOs 6, I have been an apple fan ever since. This is so cool since apple added applications that enhances security. Thumbs up!

Post a Comment


* Indicates a required field.