Apple Security Flaws Give Some Researchers Concern About Deeper Issues

Credit to Author: Lily Hay Newman| Date: Wed, 13 Dec 2017 12:00:00 +0000

All software has flaws, no matter how carefully you vet it. So the question isn't how to write perfect code, but how to respond to mistakes as you find them. And while Apple has earned a strong reputation for security, a string of significant vulnerabilities in macOS and iOS have strained Apple's safety net—and led some security researchers and developers to question whether the issues are systemic.

Take the release of Apple's macOS High Sierra operating system at the end of September. Within ten days, the company had to fix two critical bugs. A third-party app could be used to steal credentials from the keychain, and the password hint for encrypted Apple File Systems volumes revealed passwords in plain text. Then, at the end of November, security researchers publicly announced that anyone could get root access to a Mac running High Sierra simply by typing the word "root".

The bug was so glaring that Apple pushed a fix within a day, impressive speed for such a large company.

"Security is a top priority for every Apple product, and regrettably we stumbled with this release of macOS," Apple said in a statement to WIRED after the initial "root" bug incident—a rare admission from the company. "We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again."

'Clearly there’s something going on there. It defies explanation as a coincidence at this point.'

Thomas Reed, Malwarebytes Labs

But then the fix had serious bugs of its own, not surprising given how little time the company had to test it. And that lapse joins a parade of similar software hiccups, not just in macOS but across Apple's platforms. Throughout 2017 in general, the company was fixing numerous problematic bugs, including dozens in iOS 10, and a particularly jarring update in May that impacted all of the company's operating systems and services, fixing 66 unique vulnerabilities. Several of those vulnerabilities allowed for remote execution; a hacker wouldn't have needed physical access to the devices to compromise it.

Shortly after iOS 11 came out in September, iPhones began to autocorrect the letter "i" to "A." While not a security issue, it was highly visible—and irritating—to much of Apple's customer base. And as recently as last week, Apple released an iOS 11 fix for a remote HomeKit vulnerability that wasn't easy to exploit, but could have allowed a motivated attacker to compromise important smart home devices like door locks.

Apple still offers better security than its competitive set by most metrics. But security researchers say that this uptick in vulnerabilities may point to deeper problems.

"In my opinion, Apple's desire to get all of its platforms—iOS, macOS, watchOS and tvOS—on the same public relations, product management, and marketing-friendly annual release cycle is starting to take a toll," says Pepijn Bruienne, a research and development engineer at Duo Security who focuses on Apple products. "While I feel that Apple's overall platform security vision across all of its products is the best in the industry bar none, the pace seems to be taking a toll on the quality assurance portion of the software development process."

Several researchers pointed to that quality assurance testing process, speculating that it either lacks the manpower or the clear direction to make thorough enough assessments. Apple said itself that it is "auditing our development processes," which could hint at a vetting and testing issue, but it could also speak to the other concern researchers have voiced of late: the pressure for Apple to release overhauled software every 12 months.

"Apple’s had problems before, and they can’t be blamed for that because everybody’s going to run into a bug sooner or later," says Thomas Reed, the director of Mac and mobile in the threat tracking and analysis group at Malwarebytes Labs. "What’s really been unusual in the last month or so is just the sheer number of bugs. Clearly there’s something going on there. It defies explanation as a coincidence at this point. And since so many of these are coming up in High Sierra and iOS 11, it makes you wonder if they rushed those releases for some reason and put them out too soon when they weren’t really ready for public consumption."

'I hope alarms are going off at Apple headquarters, because they seem to be losing the grip on their user experience and software quality.'

iOS Developer Marin Todorov

Some longtime Mac administrators are nostalgic for a release like Apple's OS X 10.6 Snow Leopard from 2009, a deliberate and contemplative iteration of Apple's splashy, feature-packed Leopard release the previous year. "Snow Leopard was such a good, stable release because Apple really spent a lot of time fixing bugs for it," Reed says. "They really need to do the same thing again at this point, because every release lately has been so heavily weighted toward new features. I think they need to slow it down a little on the new features and concentrate in the next release on fixes."

The highly visible vulnerabilities could also have a cascading effect on Apple's overall security. One reason its devices stay relatively safe? iPhone and Mac owners generally install updates in a timely fashion, whereas Android devices, say, often get left behind. But too many mistakes too often could make people wary of adopting updates quickly, preferring to hang back while they wait for new software to have issues hammered out in the marketplace.

"I stopped using Apple’s latest software some time ago. I always keep a couple of versions behind and that works okay," says Marin Todorov, a longtime iOS developer. "I hope alarms are going off at Apple headquarters, because they seem to be losing the grip on their user experience and software quality."

Though the situation right now troubles Apple-focused researchers and admins, the company's security posture and pipeline remains more robust than those of most large tech companies. And Apple's recent problems have also drawn more scrutiny in part because researchers publicly disclosed the flaws instead of quietly reporting them to Apple and waiting for a fix. Turkish software developer Lemi Orhan Ergin, one of the researchers who found the "root" bug, notified Apple with a tweet.

MacOS Update Accidentally Undoes Apple's "Root" Bug Patch

Anyone Can Hack MacOS High Sierra Just by Typing "Root"

The iOS 11 Privacy and Security Settings You Should Check Right Now

"Normally there is concerning stuff addressed in most security updates, but now we are seeing people go public prior to fixes, causing a bit more panic," says Will Strafach, an iOS security researcher and the president of Sudo Security Group. "There are definitely not more bugs, though, just that people never paid attention to already-addressed issues versus current ones. There is also a bit of a pile-on effect so to speak, since people will remember the root bug for awhile and associate it with further new issues as they arise."

Even if the cause has more to do with bugs getting mainstream attention, the result could still be hesitance to update, which would damage Apple's overall security approach. "Mac admins, almost fortunately, have been kind of slow on update adoption, but that’s sending the wrong message because updating is so critical for security," Malwarebytes' Reed says. "I’ve got to give Apple credit, they have responded to these things quickly, but I think that the big focus needs to be on the overall stability of the system itself rather than having to respond to these bugs. It's frustrating."

If the next cycle of Apple releases doesn't contain as many basic mistakes, the problems with High Sierra and macOS could recede as an understandable blip. For now, though, they look more like a pattern.

https://www.wired.com/category/security/feed/