Cuando existe el estatus “ex” significa que por razones claras no eres parte de una relación y en este caso de patrono-empleado como Apple y Kirstin Paget pues realmente con lo que vamos a mencionar, cabe duda que Paget tiene ganas de virar patas arriba los que se encargan de la seguridad de software de Apple.
Apple + Patching = You’re Doing It Wrong :(
Apple just released iOS 7.1.1, which contains a bunch of security fixes for a wide range of things. Of particular interest is the list of issues they fixed in WebKit, which includes:
CVE-2013-2871 : miaubiz
CVE-2014-1298 : Google Chrome Security Team
CVE-2014-1299 : Google Chrome Security Team, Apple, Renata Hodovan of University of Szeged / Samsung Electronics
CVE-2014-1300 : Ian Beer of Google Project Zero working with HP's Zero Day Initiative
CVE-2014-1302 : Google Chrome Security Team, Apple
CVE-2014-1303 : KeenTeam working with HP's Zero Day Initiative
CVE-2014-1304 : Apple
CVE-2014-1305 : Apple
CVE-2014-1307 : Google Chrome Security Team
CVE-2014-1308 : Google Chrome Security Team
CVE-2014-1309 : cloudfuzzer
CVE-2014-1310 : Google Chrome Security Team
CVE-2014-1311 : Google Chrome Security Team
CVE-2014-1312 : Google Chrome Security Team
CVE-2014-1313 : Google Chrome Security Team
CVE-2014-1713 : VUPEN working with HP's Zero Day Initiative
What’s particularly interesting about this list is that is looks an awful lot like thelist of bugs fixed in Safari 7.0.3 on the desktop, which was released some 3 weeks ago on April 1st:
CVE-2013-2871 : miaubiz
CVE-2013-2926 : cloudfuzzer
CVE-2013-2928 : Google Chrome Security Team
CVE-2013-6625 : cloudfuzzer
CVE-2014-1289 : Apple
CVE-2014-1290 : ant4g0nist (SegFault) working with HP's Zero Day Initiative, Google Chrome Security Team
CVE-2014-1291 : Google Chrome Security Team
CVE-2014-1292 : Google Chrome Security Team
CVE-2014-1293 : Google Chrome Security Team
CVE-2014-1294 : Google Chrome Security Team
CVE-2014-1298 : Google Chrome Security Team
CVE-2014-1299 : Google Chrome Security Team, Apple, Renata Hodovan of University of Szeged / Samsung Electronics
CVE-2014-1300 : Ian Beer of Google Project Zero working with HP's Zero Day Initiative
CVE-2014-1301 : Google Chrome Security Team
CVE-2014-1302 : Google Chrome Security Team, Apple
CVE-2014-1303 : KeenTeam working with HP's Zero Day Initiative
CVE-2014-1304 : Apple
CVE-2014-1305 : Apple
CVE-2014-1307 : Google Chrome Security Team
CVE-2014-1308 : Google Chrome Security Team
CVE-2014-1309 : cloudfuzzer
CVE-2014-1310 : Google Chrome Security Team
CVE-2014-1311 : Google Chrome Security Team
CVE-2014-1312 : Google Chrome Security Team
CVE-2014-1313 : Google Chrome Security Team
CVE-2014-1713 : VUPEN working with HP's Zero Day Initiative
OK, so the desktop patch also included a few more issues – but clearly the iOS vulnerabilities they just fixed are a direct subset of the vulnerabilities they fixed 3 weeks ago. Apparently someone needs to sit Apple in front of a chalkboard and make them write out 100 lines:
“I will not use iOS to drop 0day on OSX, nor use OSX to drop 0day on iOS”.Seriously, Apple – what the fuck?
Is this how you do business? Drop a patch for one product that quite literally lists out, in order, the security vulnerabilities in your platform, and then fail to patch those weaknesses on your other range of products for *weeks* afterwards? You really don’t see anything wrong with this?
Someone tell me I’m not crazy here. Apple preaches the virtues of having the same kernel (and a bunch of other operating system goop) shared between two platforms – but then only patches those platforms one at a time, leaving the entire userbase of the other platform exposed to known security vulnerabilities for weeks at a time?
In what world is this acceptable?
I’m starting a bounty. One thousand Defcoin and my eternal respect to the first person to cross-check the list of bugs fixed in iOS versus the list of bugs fixed in OS X, and draw a pretty graph (with supporting open-source data) of how many patches are missing on each platform compared to the other over time. Should be an interesting picture…
-K
Como algo equivocado, así cataloga Kristin Paget en su blog personal quien hacia como empleada del equipo de seguridad para iPhone de Apple el cuál nota claramente que el kernel que es compartido tanto con iOS y MAC OS X no sea una razón de desarrollo paralelo.
Y a lo que Paget se refiere es que desde la llegada de iOS 7.1, clientes con iPhone han estado en peligro de seguridad hasta que llegó el iOS 7.1.1, tomando en cuenta que los mismos errores que esa versión resuelve, ya había sido resuelta hace tiempo para el área de MAC OS X.
La experta en programación también uso de comparativa arreglos de la versión Desktop de Safari en versión 7.0.3, evidenciando la diferencia enorme de tiempo en que los arreglos se ponen al igual y fue más lejos al lanzar un reto que ella paga 1,000 créditos de defcoin a la primera persona que logre cotejar la lista de errores corregidos en iOS contra la lista de los errores corregidos en el MAC OS X, y dibujar un gráfico con datos de código abierto de la cantidad de parches que faltan en cada plataforma en comparación con el otro.