{"id":5424,"date":"2014-04-23T15:01:44","date_gmt":"2014-04-23T19:01:44","guid":{"rendered":"http:\/\/blog.nccomputertech.com\/?p=5424"},"modified":"2014-04-23T15:01:44","modified_gmt":"2014-04-23T19:01:44","slug":"apple-users-left-exposed-to-serious-threats-for-weeks-former-employee-says","status":"publish","type":"post","link":"https:\/\/nccomputertech.com\/techtalk\/2014\/04\/23\/apple-users-left-exposed-to-serious-threats-for-weeks-former-employee-says\/","title":{"rendered":"Apple users left exposed to serious threats for weeks, former employee says"},"content":{"rendered":"<p style=\"text-align:center;\"><a href=\"http:\/\/arstechnica.com\/security\/2014\/04\/apple-users-left-exposed-to-serious-threats-for-weeks-former-employee-says\/\"><img data-recalc-dims=\"1\" height=\"293\" width=\"640\" src=\"https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2014\/04\/ios-update-640x293.jpg?resize=640%2C293\" alt='' \/><\/a><\/p>\n<p>A noted whitehat hacker who spent more than a year on Apple&#8217;s security team has dealt her former employer some blistering criticism for fixing critical vulnerabilities in iOS three weeks after they became widely known to blackhats.<\/p>\n<p>Kristin Paget, who recently took a security position at a major car manufacturer, took to her private blog Wednesday and catalogued more than a dozen separate security bugs that were patched in Tuesday&#8217;s release of iOS 7.1.1. Some of them gave attackers the ability to surreptitiously execute malicious code on iPhones and iPads without requiring much or any interaction from end users. Paget noted that 16 of the vulnerabilities addressed had been fixed three weeks earlier in a separate update for OS X users. Such delays give malicious hackers the opportunity to reverse engineer the fixes for one platform and develop potent exploits to use against the same bugs surviving in unpatched platforms, security researchers have long charged.<\/p>\n<p>&#8220;Apparently someone needs to sit Apple in front of a chalkboard and make them write out 100 lines: &#8216;I will not use iOS to drop 0day on OS X, nor use OS X to drop 0day on iOS,'&#8221; Paget wrote in Thursday&#8217;s blog post. Addressing Apple officials directly, Paget continued:<\/p>\n<p>Is this how you do business? Drop a patch for one product that quite literally lists out, in order, the security vulnerabilities in your platform, and then fail to patch those weaknesses on your other range of products for *weeks* afterwards? You really don\u2019t see anything wrong with this?<\/p>\n<p>Someone tell me I\u2019m not crazy here. Apple preaches the virtues of having the same kernel (and a bunch of other operating system goop) shared between two platforms\u2014but then only patches those platforms one at a time, leaving the entire userbase of the other platform exposed to known security vulnerabilities for weeks at a time?<\/p>\n<p>In what world is this acceptable?<\/p>\n<p>Paget&#8217;s critique comes two months after Apple patched the extremely critical &#8220;goto fail&#8221; bug in iOS without fixing it in the Mavericks version of OS X. Critics once again warned that the code and description Apple released for the mobile update gave a roadmap attackers could use to target the same flaws during the four-day window it remained unpatched on desktops. The bug, which made it trivial to bypass crucial HTTPS encryption protections, was finally fixed on Mavericks on February 25.<\/p>\n<p>Paget\u2014who has also been employed by Google and eBay\u2014called on readers to cross-check previous iOS and OS X security updates to see if they also showed long lapses between the time when critical vulnerabilities are fixed on one platform and when they&#8217;re repaired on the other.<\/p>\n<p>via <a href=\"http:\/\/arstechnica.com\/security\/2014\/04\/apple-users-left-exposed-to-serious-threats-for-weeks-former-employee-says\/\" target=\"_blank\">Apple users left exposed to serious threats for weeks, former employee says | Ars Technica<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A noted whitehat hacker who spent more than a year on Apple&#8217;s security team has dealt her former employer some [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_feature_clip_id":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"jetpack_post_was_ever_published":false},"categories":[2,7],"tags":[341,549,1177],"class_list":["post-5424","post","type-post","status-publish","format-standard","hentry","category-apple","category-security","tag-exploit","tag-ios","tag-vulnerabilities"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/papNkV-1pu","jetpack-related-posts":[{"id":6833,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/11\/12\/ios-security-hole-allows-attackers-to-poison-already-installed-iphone-apps\/","url_meta":{"origin":5424,"position":0},"title":"iOS security hole allows attackers to poison already installed iPhone apps","author":"NCCT","date":"November 12, 2014","format":false,"excerpt":"Security researchers have warned of a security hole in Apple's iOS devices that could allow attackers to replace legitimate apps with booby-trapped ones, an exploit that could expose passwords, e-mails, or other sensitive user data. The \"Masque\" attack, as described by researchers from security firm FireEye, relies on enterprise provisioning\u2026","rel":"","context":"In &quot;Apple&quot;","block_context":{"text":"Apple","link":"https:\/\/nccomputertech.com\/techtalk\/category\/apple\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2014\/11\/masque-attack-example-640x613.jpg?resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2014\/11\/masque-attack-example-640x613.jpg?resize=350%2C200 1x, https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2014\/11\/masque-attack-example-640x613.jpg?resize=525%2C300 1.5x"},"classes":[]},{"id":6071,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/07\/30\/privacy-focused-tails-os-compromised-how-to-stay-safe-until-its-patched\/","url_meta":{"origin":5424,"position":1},"title":"Privacy-focused Tails OS compromised: How to stay safe until it&#8217;s patched","author":"NCCT","date":"July 30, 2014","format":false,"excerpt":"Vulnerabilities in the Tails operating system could reveal your IP address, but you can avoid trouble by taking a couple of precautions. Tails, a portable operating system that employs a host of privacy-focused components, plans to patch flaws contained in I2P, a networking tool developed by the Invisible Internet Project\u2026","rel":"","context":"In &quot;Security&quot;","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":8767,"url":"https:\/\/nccomputertech.com\/techtalk\/2015\/12\/07\/security-vulnerabilities-found-in-support-software-from-lenovo-toshiba-and-dell\/","url_meta":{"origin":5424,"position":2},"title":"Security vulnerabilities found in support software from Lenovo, Toshiba, and Dell","author":"NCCT","date":"December 7, 2015","format":false,"excerpt":"By Lucian Constantin | PCWorld The number of vulnerabilities discovered in technical support applications installed on PCs by manufacturers keeps piling up. New exploits have been published for flaws in Lenovo Solution Center, Toshiba Service Station and Dell System Detect.The most serious flaws appear to be in Lenovo Solution Center\u2026","rel":"","context":"In &quot;Security&quot;","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":7570,"url":"https:\/\/nccomputertech.com\/techtalk\/2015\/02\/05\/malicious-advertisements-on-major-sites-compromised-many-many-pcs\/","url_meta":{"origin":5424,"position":3},"title":"Malicious advertisements on major sites compromised many, many PCs","author":"NCCT","date":"February 5, 2015","format":false,"excerpt":"Attackers who have slipped malicious advertisements onto major websites over the last month have potentially compromised large numbers of computers. Several security vendors have documented attacks involving malicious advertisements, which automatically redirect victims to other websites or pages that silently attack their computer and install malware. \u201cWe certainly see malvertising\u2026","rel":"","context":"In &quot;Security&quot;","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":8157,"url":"https:\/\/nccomputertech.com\/techtalk\/2015\/04\/29\/researcher-claims-that-attackers-can-easily-bypass-current-osx-security-tools\/","url_meta":{"origin":5424,"position":4},"title":"Researcher claims that attackers can easily bypass current OSX security tools","author":"NCCT","date":"April 29, 2015","format":false,"excerpt":"Most Mac users feel as though they are impenetrable to viruses and malicious software, but according to one researcher that is not the case. While Apple has its fair share if security measures in place, recent data has surfaced suggesting those tools are \u201ctrivial\u201d for any attacker to bypass. For\u2026","rel":"","context":"In &quot;Apple&quot;","block_context":{"text":"Apple","link":"https:\/\/nccomputertech.com\/techtalk\/category\/apple\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":8465,"url":"https:\/\/nccomputertech.com\/techtalk\/2015\/07\/13\/hacking-teams-arsenal-included-at-least-three-unpatched-exploits-for-flash-player\/","url_meta":{"origin":5424,"position":5},"title":"Hacking Team&#8217;s arsenal included at least three unpatched exploits for Flash Player","author":"NCCT","date":"July 13, 2015","format":false,"excerpt":"Recently breached surveillance software maker, Hacking Team, had access to three different exploits for previously unknown vulnerabilities in Flash Player. All of them are now out in the open, putting Internet users at risk. Milan-based Hacking Team develops and sells surveillance software to government agencies from around the world. On\u2026","rel":"","context":"In &quot;Security&quot;","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/5424","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/comments?post=5424"}],"version-history":[{"count":0,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/5424\/revisions"}],"wp:attachment":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/media?parent=5424"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/categories?post=5424"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/tags?post=5424"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}