Why Patching Doesn’t Work – Using Apple As An Example

Apple released patches to fix a family of security flaws called Masque the other day in iOS release 8.4 .  Researchers then came up with a new variant of the flaw that the patch doesn’t fix.  Apple had fixed earlier variants of the Masque attack in iOS 8.1.3 , Anyone see a theme here.  Unfortunately, in today’s world, putting yellow duct tape on top of green duct tape on top of silver duct tape is what we do.

For years, people thought Apple was immune to hackers.  In reality, while Apple’s software is good, it is not perfect.  Hackers considered Apple to be a niche player and instead focused their efforts on Windows users.  Now that Apple is considered a mainstream product, hackers are focusing some energy on it and finding holes.

Apple, in turn, is doing the only thing they really can do in the short term and that is buying cases of duct tape.  Unfortunately, as Microsoft figured out years ago, duct tape is neither elegant nor does it provide a lasting solution.

Bill Gates wrote has famous Trustworthy Computing memo in 2002 that started a culture change at Microsoft that is still unfolding today.  In the battle between security and features, features usually win.  In both Microsoft’s and Apple’s cases, real security means a lot of time, people and money to re-architect their products.  It is very rare that you see that in the commercial software world.  Usually it takes some sort of catastrophic failure like a nuclear reactor meltdown.  We did see major changes in the chemical process industry after the Union Carbide chemical plant disaster in Bhopal, India that killed or injured hundreds of thousands.

In the software world, vendors are not responsible if you are hacked and lose all your money, intellectual property or your nude pictures are published on the Internet for the world to see.  Until that changes, expect duct tape to be a hot commodity.

A few details about the problem.

In Apple’s case, the Masque flaws involve impersonating existing apps and getting users to install hacked versions, typically though Apple’s enterprise provisioning system which allows companies to use apps that are not published on the app store.

The fixes that Apple made last November in iOS 8.1.3 fixed the URL Masque and Plug-in Masque variants.

FireEye, the company that found these bugs, disclosed two more variants, called Manifest Masque and Extension Masque after Apple partially fixed them in iOS 8.4 .  Expect more variants to follow.

Based on traffic to high profile web sites, a third of Apple iOS users are using versions of iOS earlier than 8.1.3.  Unless a user downloaded 8.4 this week, all users are using a version older than 8.4 .

Older iPhones may not even be able to upgraded to 8.4 due to compatibility issues, so they will be vulnerable until they are crushed and recycled.

There is no easy answer and this is certainly not just an Apple problem.  As software becomes more sophisticated, the problem multiplies.  And, worse yet, all vendors, including Apple, abandon old versions of hardware.  Try getting updates for an iPad 1, for example.  However, the fact that the vendor doesn’t update does not mean that people don’t use them.

I do not think there will be a solution any time soon.  Both the U.S. and British government still have tens of thousands of PCs running Windows XP.  The U.S. Navy agreed to pay Microsoft for private support for a few of these.  The British government, which did pay Microsoft millions last year for that service opted to let it expire this year.  That does not mean those computers are not being used – just not being updated.

No. Easy. Answers.   Soooooooorry!

Source material for this article came from PC World (see article).

Leave a Reply

Your email address will not be published. Required fields are marked *