Apple obviously didn’t want to bring a lot of attention to this case, but what they did was a bit beyond belief. Instead of issuing a simple patch to fix the vulnerability, Apple released a feature update!
If working in the IT field has taught me one thing it’s that updates need to be tested before being applied. Although testing an update meant for a phone may not be critical, testing for a computer operating system is a must – especially in the Enterprise.
Unfortunately for Mac users, Apple decided to bundle this very important update in OS X Mavericks 10.9.2. This “update" included many new features including FaceTime updates and new features for iMessages (figure 1). The last thing I want to do when fixing a serious security issue is to download a huge patch (The stand alone Mavericks 10.9.2 installer was over 700MB). Not only do I need to figure out an efficient way to distribute that update to all of my computers in an organization, but I’ve also got to test every application that the update touches. I’ve been burned too many times by hastily applying an update only to find it breaks some part of the system I’m trying to protect.
I can understand Apple’s desire to hide this little slip up, but hiding the fix in a 700MB+ update is uncalled for. Apple should own up to the issue and release a standalone patch – especially for Enterprises who don’t have the desire or time to test all of the pieces Mavericks 10.9.2 touches.
Security flaws are a part of our digital world. There’s nothing we can do about it. Since humans write code, there will be mistakes made. What we can do is try to use common sense to weed out the real issues and utilize simple workarounds whenever possible while those responsible work on a fix.