New OS X security updates patch same zero-days as iOS 9.3.5

Updates come nearly a week after equivalent bugs were patched in iOS.

Read the whole story

 

[Rosyna]

I usually have an issue with security patch delivery disparity between platforms, but not here.

The iOS bugs were being actively exploited. Apple had to patch it extremely quickly, foregoing a usual QA pass.

With OS X, they could take a little bit more time to test, especially since the actions that the actively-used-malware on iOS was taking didn't exactly need to use any exploits to do them on Mac OS X…

(I'm saying a Mac OS X trojan could have done the same things without using any kernel exploits)

 

[MobtownDave]

It seems like a fairly quick update to me after patching the initial threat that was to the vast majority of Apple customers on mobile devices LAST WEEK.

In any case, is Mr Cunningham in a position to say if it is quick or not for the desktop OS with his assertion of "so many days"?

 

[RRob]

MobtownDave[/url]":1b4h1d57]It seems like a fairly quick update to me after patching the initial threat that was to the vast majority of Apple customers on mobile devices LAST WEEK.

Didn't the researchers delay releasing exploit details until the patch was ready? Which side didn't want to wait?

 

[CurlyMicheal]

As you may know that iOS is a sub-set of the code base of macOS.
But the reported "bug(s)" affected the mobile platform first and that was @ the top of platform(s) list for the "bug" fix(es).
So, the "fix(es)" where not released @ the same time & you are still way better off than if you where running another OS/Platform.
Try & get that kind of "bug fixes" from you know who?

 

[LordPixie]

Yeah, I wouldn't complain about this.

IOS runs on a very limited set of hardware, with an incredibly closed set of software.

OSX allows third parties to make hardware, install unvetted software, drivers, etc. It's got to be quite a bit more complicated to create and test a patch for. It may not have Microsoft levels of diversity, but it's still a lot more than IOS.

 

[tipoo]

"In theory, patching iOS without also patching the equivalent bugs in OS X could leave Mac users more open to attack."


That was rather curious that they left a gap between patching both. I hope they answer your inquiry, but as usual from Apple we're probably all expecting them not to.

 

[MilSF]

Well, at least this explains why I got a 4am reboot and the whole "Set up your iCloud again because we ran an update" routine. As a previous poster mentioned, OSX didn't seem to be the main target for this exploit, so a little further QA to make sure this didn't unexpectedly break functionality on a more complex OS isn't totally out of line.

 

[koolraap]

Why iPhones first? Random speculative guesses is you pick the most at-risk audience and largest audience first. I'd guess iPhone users install more apps than mac users, and I bet there are more iphone users than mac users.

Plus it's probably a longer regression test cycle for Mac. And longer to compile, package.

Or you fix the market that's worth the most to you first.

 

[adamsc]

Yeah, I wouldn't complain about this.

IOS runs on a very limited set of hardware, with an incredibly closed set of software.

OSX allows third parties to make hardware, install unvetted software, drivers, etc. It's got to be quite a bit more complicated to create and test a patch for. It may not have Microsoft levels of diversity, but it's still a lot more than IOS.

Exactly right. The internet is full of aggrieved nerds complaining about iOS being too restrictive but this is exactly the tradeoff being made – they can ship an iOS update and know that it will provably work the same way on every device made in the last 5 years. OS X has many angles for customization and there are many separate communities which rely on one feature and will complain loudly if an update breaks it.

Apple has generally improved a lot from the early OS X era but the only way they could ship updates simultaneously is if they delay the iOS release, which would be irresponsible in the case where they know it's actively being exploited with potentially serious consequences. I might worry from time to time about Apple neglecting the Mac but there's just no way that's remotely in the same league as the decidedly non-zero chance of someone going to jail in a repressive regime.

 

[biffbobfred]

1) i hated the gap as well. I figured there's a high chance these were present in MacOS X, err, macOS as well. Its just Webkit/Darwin.

2) easier to mitigate in macOS. On macOS, i always use chrome. Blink rendering engine not susceptible. On iOS, everything uses webkit.

3) a much wider variety of hardware for macOS testing i'm sure. Im suer immediately both teams started patching. remember it took 10 days for the iOS patch. Im sure they patched Darwin, and needed a much wider test matrix. We're patching the kernel here, you fuck up you brick a bunch of macOS boxes.

So, altogether, patch what you can as soon as you can, and cross fingers. Sucks to be Apple security engineer now.

 

[Sasparilla]

Looks like Mavericks fell off the update wagon here (Apple normally updates through the prior 2 OS releases) or will be a little later.

 

[oliversl]

I wonder when were those zero day bugs introduced, during big cats or after big cats. When you rewrite software, this is what you get sometimes.

 

[rain shadow]

Sasparilla[/url]":n4o3048l]Looks like Mavericks fell off the update wagon here (Apple normally updates through the prior 2 OS releases) or will be a little later.

there is a mavericks update but it's for safari only.

 

[Walt French]

People are focusing on the “delay” in patching OS X, but we ought to be celebrating that Apple put as much energy as possible onto the approximately 1 billion iOS users, some of whom were actively being attacked, and only after that, turned their non-unlimited resources to the ~50 million OS X users, who weren't.

20 times the number of at-risk users, infinitely more active assaults. Tough call./s

In that perspective, assigning ANY engineers to patching OS X, ☞if it delayed the iOS patch by even an hour☜, would have been a travesty well worth criticizing.

 

[Zip13]

Sasparilla[/url]":338l31bj]Looks like Mavericks fell off the update wagon here (Apple normally updates through the prior 2 OS releases) or will be a little later.

Was just about to respond to this but rain shadow covered it. Do notice that while Mavericks didn't receive any of the other patches, lookout and citizen lab did mention that there was indication that these exploits have been around since iOS 7. Meaning that when Apple was creating Yosemite they brought in iOS code (much to some power users dismay).

 

[biscuitsandcookies]

Walt French[/url]":3w0l5aym]People are focusing on the “delay” in patching OS X, but we ought to be celebrating that Apple put as much energy as possible onto the approximately 1 billion iOS users, some of whom were actively being attacked, and only after that, turned their non-unlimited resources to the ~50 million OS X users, who weren't.

20 times the number of at-risk users, infinitely more active assaults. Tough call./s

In that perspective, assigning ANY engineers to patching OS X, ☞if it delayed the iOS patch by even an hour☜, would have been a travesty well worth criticizing.

The problem that I have with that line of thinking is that there shouldn't be a question of assigning engineers back and forth between the two platforms by now. Both iOS and Mac OS are established products being actively developed by an established company. They should not have to compete with each other for resources or personnel anymore. Maybe back in 2007, but not anymore.

Yes, they share a kernel and some frameworks, but everything downstream from that should be structured so that once a kernel patch comes out, their respective integration and QC teams should be able to take it and run with it and not interfere with one another.

To be clear, I don't know that this is an issue. There are all sorts of situations that could cause the Mac patches to be later than the iOS patches. Everyone suggesting that the Mac fixes were delayed so that resources could be dedicated to iOS is speculating so far as I can tell.

 

[arcadium]

LordPixie[/url]":jyoj1ssz]Yeah, I wouldn't complain about this.

IOS runs on a very limited set of hardware, with an incredibly closed set of software.

OSX allows third parties to make hardware, install unvetted software, drivers, etc. It's got to be quite a bit more complicated to create and test a patch for. It may not have Microsoft levels of diversity, but it's still a lot more than IOS.

So basically, OSX users should just get used to the fact that they will be sitting ducks for a few weeks every year.

As Rosyna points out, in this specific scenario this may have been acceptable, simply because Apple was responding to a bug that was actively being exploited on iOS. However, Apple has done this for other bugs which are not being actively exploited.

Patching it on iOS, revealing it to the entire world, and then waiting some time before patching it on OSX, making OSX users remarkably vulnerable in the meanwhile.

 

[arcadium]

biscuitsandcookies[/url]":2iuql4kr]

Walt French[/url]":2iuql4kr]People are focusing on the “delay” in patching OS X, but we ought to be celebrating that Apple put as much energy as possible onto the approximately 1 billion iOS users, some of whom were actively being attacked, and only after that, turned their non-unlimited resources to the ~50 million OS X users, who weren't.

20 times the number of at-risk users, infinitely more active assaults. Tough call./s

In that perspective, assigning ANY engineers to patching OS X, ☞if it delayed the iOS patch by even an hour☜, would have been a travesty well worth criticizing.

The problem that I have with that line of thinking is that there shouldn't be a question of assigning engineers back and forth between the two platforms by now. Both iOS and Mac OS are established products being actively developed by an established company. They should not have to compete with each other for resources or personnel anymore. Maybe back in 2007, but not anymore.

Yes, they share a kernel and some frameworks, but everything downstream from that should be structured so that once a kernel patch comes out, their respective integration and QC teams should be able to take it and run with it and not interfere with one another.

To be clear, I don't know that this is an issue. There are all sorts of situations that could cause the Mac patches to be later than the iOS patches. Everyone suggesting that the Mac fixes were delayed so that resources could be dedicated to iOS is speculating so far as I can tell.

It's amazing how Apple, the largest tech company in the world, is allowed to use the "we just don't have enough engineers" excuse.

As you said, this may have been valid and understandable a decade ago, but absolutely is not now. MS supports a much more unwieldy Windows ecosystem, where a random amateur can build their own PC and load Windows on it, more securely than Apple is doing with OSX.

 

[Old_one]

Given that iOS users outnumber the macOS users by, what.. 20 to one? And that a real-world, active iOS exploit already existed? It's a no-brainer. Nice to know, though, that the macOS fix was beta-tested by all those iOS users. Thanks folks!

 

[cbreak]

arcadium[/url]":2mghs7xz]

LordPixie[/url]":2mghs7xz]Yeah, I wouldn't complain about this.

IOS runs on a very limited set of hardware, with an incredibly closed set of software.

OSX allows third parties to make hardware, install unvetted software, drivers, etc. It's got to be quite a bit more complicated to create and test a patch for. It may not have Microsoft levels of diversity, but it's still a lot more than IOS.

So basically, OSX users should just get used to the fact that they will be sitting ducks for a few weeks every year.

As Rosyna points out, in this specific scenario this may have been acceptable, simply because Apple was responding to a bug that was actively being exploited on iOS. However, Apple has done this for other bugs which are not being actively exploited.

Patching it on iOS, revealing it to the entire world, and then waiting some time before patching it on OSX, making OSX users remarkably vulnerable in the meanwhile.

No, it's not like apple will switch to that stupid "patch tuesday" system, or even adobe's quarterly flash updates, that leaves people vulnerable for months at a time. Nor does it have Google's problems with patch distribution. Apple still updates as fast as possible, and can push out updates when ever it wants.

 

[cbreak]

arcadium[/url]":262m0qvp]

biscuitsandcookies[/url]":262m0qvp]

Walt French[/url]":262m0qvp]People are focusing on the “delay” in patching OS X, but we ought to be celebrating that Apple put as much energy as possible onto the approximately 1 billion iOS users, some of whom were actively being attacked, and only after that, turned their non-unlimited resources to the ~50 million OS X users, who weren't.

20 times the number of at-risk users, infinitely more active assaults. Tough call./s

In that perspective, assigning ANY engineers to patching OS X, ☞if it delayed the iOS patch by even an hour☜, would have been a travesty well worth criticizing.

The problem that I have with that line of thinking is that there shouldn't be a question of assigning engineers back and forth between the two platforms by now. Both iOS and Mac OS are established products being actively developed by an established company. They should not have to compete with each other for resources or personnel anymore. Maybe back in 2007, but not anymore.

Yes, they share a kernel and some frameworks, but everything downstream from that should be structured so that once a kernel patch comes out, their respective integration and QC teams should be able to take it and run with it and not interfere with one another.

To be clear, I don't know that this is an issue. There are all sorts of situations that could cause the Mac patches to be later than the iOS patches. Everyone suggesting that the Mac fixes were delayed so that resources could be dedicated to iOS is speculating so far as I can tell.

It's amazing how Apple, the largest tech company in the world, is allowed to use the "we just don't have enough engineers" excuse.

As you said, this may have been valid and understandable a decade ago, but absolutely is not now. MS supports a much more unwieldy Windows ecosystem, where a random amateur can build their own PC and load Windows on it, more securely than Apple is doing with OSX.

Apple: 115000 employees, https://en.wikipedia.org/wiki/Apple_Inc.
Amazon: 268900 employees, https://en.wikipedia.org/wiki/Amazon.com
Google: 57100 employees, https://en.wikipedia.org/wiki/Google
Microsoft: 114000 employees, https://en.wikipedia.org/wiki/Microsoft
IBM: 377757 employees, https://en.wikipedia.org/wiki/IBM
HP: 315000 employees, https://en.wikipedia.org/wiki/Hewlett-Packard
Oracle: 136262 employees, https://en.wikipedia.org/wiki/Oracle_Corporation

Apple is CLEARLY not the biggest tech company.

And as said above, with microsoft's patching scheme, you're left vulnerable for weeks at a time, and then updates regularly cause major issues, as witnessed recently with the anniversary update, and the related QC failures. Those then force people to defer updates, increasing the window of vulnerability further.

 

[WaveRunner]

cbreak[/url]":2n3ser4q]

arcadium[/url]":2n3ser4q]

biscuitsandcookies[/url]":2n3ser4q]

Walt French[/url]":2n3ser4q]People are focusing on the “delay” in patching OS X, but we ought to be celebrating that Apple put as much energy as possible onto the approximately 1 billion iOS users, some of whom were actively being attacked, and only after that, turned their non-unlimited resources to the ~50 million OS X users, who weren't.

20 times the number of at-risk users, infinitely more active assaults. Tough call./s

In that perspective, assigning ANY engineers to patching OS X, ☞if it delayed the iOS patch by even an hour☜, would have been a travesty well worth criticizing.

The problem that I have with that line of thinking is that there shouldn't be a question of assigning engineers back and forth between the two platforms by now. Both iOS and Mac OS are established products being actively developed by an established company. They should not have to compete with each other for resources or personnel anymore. Maybe back in 2007, but not anymore.

Yes, they share a kernel and some frameworks, but everything downstream from that should be structured so that once a kernel patch comes out, their respective integration and QC teams should be able to take it and run with it and not interfere with one another.

To be clear, I don't know that this is an issue. There are all sorts of situations that could cause the Mac patches to be later than the iOS patches. Everyone suggesting that the Mac fixes were delayed so that resources could be dedicated to iOS is speculating so far as I can tell.

It's amazing how Apple, the largest tech company in the world, is allowed to use the "we just don't have enough engineers" excuse.

As you said, this may have been valid and understandable a decade ago, but absolutely is not now. MS supports a much more unwieldy Windows ecosystem, where a random amateur can build their own PC and load Windows on it, more securely than Apple is doing with OSX.

Apple: 115000 employees, https://en.wikipedia.org/wiki/Apple_Inc.
Amazon: 268900 employees, https://en.wikipedia.org/wiki/Amazon.com
Google: 57100 employees, https://en.wikipedia.org/wiki/Google
Microsoft: 114000 employees, https://en.wikipedia.org/wiki/Microsoft
IBM: 377757 employees, https://en.wikipedia.org/wiki/IBM
HP: 315000 employees, https://en.wikipedia.org/wiki/Hewlett-Packard
Oracle: 136262 employees, https://en.wikipedia.org/wiki/Oracle_Corporation

Apple is CLEARLY not the biggest tech company.

And as said above, with microsoft's patching scheme, you're left vulnerable for weeks at a time, and then updates regularly cause major issues, as witnessed recently with the anniversary update, and the related QC failures. Those then force people to defer updates, increasing the window of vulnerability further.

No they aren't... if something is being actively exploited Microsoft releases it's patched ASAP, on ALL devices it doesn't wait a whole month.

You can defend Apple all you want... but don't pretend their shit practices apply to Microsoft. And why I get bothered about something as lame as DSLR camera RAW data patch or something as lame as iMovie patch on Apple's whim is beyond lame. A week doesn't go by without Apple patching something I don't even use, perhaps they should divert their energy to something critical. Then again I doubt anyone actually uses Safari on a Mac, unless it's to stream a live event from Apple.