The IT Nerd

Yesterday, Apple released iOS 13.5 which addresses  a zero day iOS Mail exploit which despite what Apple thought, was so serious that Germany said that the flaw was critical and they recommends the removal iOS Mail so that users could protect themselves. But on top of that, there was a Messages bug that can cause your iDevice to crash. Now Apple promised that an emergency patch would be released a couple of weeks to address the Messages bug at the very least. But that didn’t happen. And I among others have been critical of Apple’s response to this ever since.

So now that Apple has released iOS 13.5 which fixes these two bugs, is everything okay on this front?

No. Absolutely not!

Before I tell you way Apple doesn’t deserve to be let off the hook. Let me tell you what they (finally) did right. Let’s start with the release of iOS 13.5. According to ZecOps who are the people who found the iOS Mail exploit, which by the way has been around since iOS 3.1.3, this is now fixed:

Also, Apple released iOS 12.4.7 alongside iOS 13.5 which one would think would contains the same fix. That’s good news for users who cannot or will not upgrade to iOS 13.x. But that’s a guess for reasons that I will get into momentarily. When it comes to the text message bug that can crash your iOS device, that’s apparently been fixed as well based on people who have been brave enough to test this. But we don’t know for sure because as I type this, Apple has not yet updated their security documentation with this information. And I am typing this on the day after these updates were released. Here’s a screenshot that illustrates this:

It’s pretty bad when you have to rely on third parties to help you decide whether to install a software update because a software company like Apple doesn’t want to provide you that information for whatever reason. I’m sure it will eventually appear, but you have to wonder why Apple didn’t put this information out there when they released these updates.

But despite all of that good news, there are things that Apple needs to explain.

Apple needs to really to explain why they had exploits hanging out there for so long a national government had to call them on it. Apple needs to explain why they had fixes ready to go, but didn’t release them in the emergency patch that they promised. And finally Apple needs to explain why hold its users in such disdain. Because this whole episode has left many Apple users with the feeling that the security of their products is an afterthought which Apple only has to worry about when it makes the press in a very negative way.

Apple is a company that claims to want to protect their users from threats. Apple is also a company that claims to want to get into the enterprise. To do both of those things, Apple seriously needs up their game when it comes to dealing with exploits like this because responding to them as badly as they have in this case erodes the belief that Apple is different than Google or Facebook. Plus it takes away any credibility that Apple is trying to build in the enterprise. On top of that, Apple’s lack of action takes away one key advantage that they have over Google for example. If they update something in iOS, the majority of their users will install it almost instantly because updates come directly from Apple. They’re not filtered through the handset manufacturer, then to the carrier before they maybe get to you as is the case with Android. And iPhones tend to get software updates for years unlike many Android handsets who may stop getting updates a year after you bought them. Thus you would think Apple would leverage that by using it as a vehicle to quickly distribute fixes for exploits like this. But as demonstrated in this case, that may not be the case.

Now do I expect Apple to address these concerns in public? Of course not. This is Apple we’re talking about. A company that is at best opaque about what they do. But if they were smart they would address all of this and explain what they’re going to do to make sure that these are not issues going forward. But I’m not holding my breath on that front. And that’s something that will hurt Apple in the long run.

This entry was posted on May 21, 2020 at 8:10 am and is filed under Commentary with tags Apple. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.