Apple's culture of secrecy delays security response -- again

Apple finally delivers a cure for the "goto fail" plague, but this isn't the first time that sluggish Apple response times have put its users at risk.

Seth Rosenblatt Former Senior Writer / News
Senior writer Seth Rosenblatt covered Google and security for CNET News, with occasional forays into tech and pop culture. Formerly a CNET Reviews senior editor for software, he has written about nearly every category of software and app available.
Seth Rosenblatt
4 min read
An excerpt from Apple's published source code. Note the repeated "goto fail" lines.
An excerpt from Apple's published source code for the just-fixed double "goto fail" bug, which isn't the first time that Apple has taken its time getting a security problem fixed. Screenshot by Declan McCullagh/CNET

If it wasn't for the news reports of Apple's "goto fail" fix released on Tuesday, you might not have known that there had been a security problem with your Macs.

More than a decade ago, Microsoft was notorious for ignoring security problems. Years of complaints from independent security researchers and industry professionals resulted in big changes in how the company handles security problems.

After Windows security measures repeatedly fell to malicious hackers, and the company was in danger of becoming the laughingstock of the security community, Chairman Bill Gates wrote a now-famous 2002 letter saying security would become the company's top priority. By contrast, neither Tim Cook nor Steve Jobs have ever reformed Apple's mission in the same way.

In today's update that fixes "goto fail," Apple buried the notification of the fix and didn't identify it as being any different from the other security fixes in the update. Apple credited German software developer Roland Moriz for one of the bugs identified, although it appears that the CURL database bug he reported in November is only related to the "goto fail" bug and not identical.

"It looks like Apple may have some problems [rolling] out security patches when they already have another regular release in queue," Moriz wrote to CNET in an e-mail. "After this disaster, Apple should improve the test coverage of certain critical parts (e.g. SecureTransport) and review the existing code base."

The problem may be even worse in this case than it looks. "One interesting aspect of this is that [Mac OS X] 10.9.2 patched a large number of serious security vulnerabilities, not just the notorious "goto fail" one," said longtime Apple software developer Mike Ash, who described the list of bugs as "arguably more significant" than the Transport Layer Security problems in "goto fail."

"Some of them would allow an attacker to compromise your machine just by having you visit a Web site they control," he said, also known as a drive-by attack. Emphasizing that he was speculating on Apple's reasoning for the way that the update was published, Ash said in an e-mail to CNET that Apple may have decided "to roll the TLS fix into 10.9.2 because they needed to put 10.9.2 out soon to fix these other vulnerabilities, and a separate patch would have delayed it."

The evidence points to problems at Apple with alerting its users and fixing flaws in a timely manner. This is problematic because it's not made clear to Mac and iPhone users how important an update is to their security.

By contrast, Google and Microsoft identify security fixes with standard terminology such as Medium, High, and Critical.

It took Apple more than 1,200 days to fix a vulnerability in 2011 exploited by the FinFisher trojan. An App Store flaw that attackers exploited to steal passwords and surreptitiously install malicious apps was remedied by simply turning on basic HTTPS encryption -- nine months after it was initially reported. The Flashback malware infected more than 600,000 Macs, more than 1 percent of all Macs in use worldwide, because Apple took two months longer than Oracle to issue its own Java patch.

When issuing security updates, timeliness matters. Security researcher Ashkan Soltani said he thinks the culture at Apple downplays security concerns.

"They think that -- except for a small community -- that people don't care about security and privacy. They want to talk more about speed and cup holders and less about airbags," he said, "but it's the airbags that will save you."

Part of the problem is that companies like Apple think they can protect users by keeping knowledge of vulnerabilities from the public, said Andrew Sudbury, the chief technology officer at security startup Abine.

"Apple's security is still tied to its image," he said. "You'd think you'd want to push something like this as hard and as quickly as possible, but I personally only found out about it through the news."

Apple could have fixed the "goto fail" problem faster, but didn't. "I don't get the impression that the five-day delay was strictly necessary. Apple has put out quick security updates in the past, and this fix was particularly easy to apply at least in theory," said Ash.

Sudbury added that the bigger issue at Apple is keeping iPhones and iPads secure.

"iOS devices are a consumer device, and there's nothing you as a user can do [to secure them.] Apple takes all their responsibility, and even security companies can't help you," he said.

Soltani didn't mince his words for Cook's crew in Cupertino. "[They] waited until they had all the pieces together for a minor update, 10.9.2. If it were me, the moment something like this was determined, you'd want to roll this out. It was one line [of code required to fix the "goto" bug.]"

"Instead," he said, "they waited an entire weekend or more."

Apple did not respond to a request for comment before this story was published. CNET will update the story when there's more information.

With its history of lengthy response times to critical security problems, Apple is equally long overdue for a serious re-evaluation of how they handle their insecurities.

CNET's Declan McCullagh contributed to this report.