Response to Apple's SSL Security Flaw
Security flaws occur all the time, yet this one seemed to grab the national spotlight. Articles on sites such as Forbes and LA Times pointed out how critical this flaw was and how important it was to update as fast as possible.
Tech Crunch urged users to update immediately. The New York Times chimed in with a choice quote from security consultant Aldo Cortesi. Information Week gave a bit more information by even giving an example of the doomsday scenario that would ruin you if you didn’t update.
What most of the press forgot to say was that users could easily bypass the majority of the threat by simply using a different web browser. The attacker would need to set up a malicious site, get you to visit it using the vulnerable Safari browser and only then would they be able to intercept traffic.
The tech press loves a good story and when it comes to Apple, any way to shine the light on Apple in a negative way almost guarantees page views. It’s unfortunate this FUD (fear, uncertainty, doubt) was able to win out over a rational discussion of the issue and giving users mitigating means to work safely before the fix was out.
Apple obviously didn’t want to bring a lot of attention to this case, but what they did was a bit beyond belief. Instead of issuing a simple patch to fix the vulnerability, Apple released a feature update!
If working in the IT field has taught me one thing it’s that updates need to be tested before being applied. Although testing an update meant for a phone may not be critical, testing for a computer operating system is a must – especially in the Enterprise.
Unfortunately for Mac users, Apple decided to bundle this very important update in OS X Mavericks 10.9.2. This “update” included many new features including FaceTime updates and new features for iMessages (figure 1). The last thing I want to do when fixing a serious security issue is to download a huge patch (The stand alone Mavericks 10.9.2 installer was over 700MB). Not only do I need to figure out an efficient way to distribute that update to all of my computers in an organization, but I’ve also got to test every application that the update touches. I’ve been burned too many times by hastily applying an update only to find it breaks some part of the system I’m trying to protect.
I can understand Apple’s desire to hide this little slip up, but hiding the fix in a 700MB+ update is uncalled for. Apple should own up to the issue and release a standalone patch – especially for Enterprises who don’t have the desire or time to test all of the pieces Mavericks 10.9.2 touches.
Security flaws are a part of our digital world. There’s nothing we can do about it. Since humans write code, there will be mistakes made. What we can do is try to use common sense to weed out the real issues and utilize simple workarounds whenever possible while those responsible work on a fix.