Ex Apple employee claims 'delayed' iOS patch left iPhone users vulnerable

Did Apple Inc. put users of its iPhones, iPads and iPod Touches at risk for three weeks by delaying key security fixes to the iOS operating system?

A security researcher who happens to be one of the company's ex-employees thinks so, chiding the tech darling for patching similar bugs in the OS X system for desktops and laptops.

"Someone tell me I’m not crazy here. Apple preaches the virtues of having the same kernel (and a bunch of other operating system goop) shared between two platforms – but then only patches those platforms one at a time, leaving the entire userbase of the other platform exposed to known security vulnerabilities for weeks at a time? In what world is this acceptable?" Kristin Paget said in a blog post (http://www.tombom.co.uk/blog/?p=492).

Paget was hired away from Apple by carmaker Tesla Motors earlier this year, Autoblog.com reported.

In her blog, she referred to the release of iOS 7.1.1, which she said addressed the same vulnerabilities as Safari 7.0.3 for the OS X system - only three weeks later.

The delay could have left iOS users vulnerable to a zero-day attack, she said.

"Is this how you do business? Drop a patch for one product that quite literally lists out, in order, the security vulnerabilities in your platform, and then fail to patch those weaknesses on your other range of products for *weeks* afterwards? You really don’t see anything wrong with this?" Paget said.

But a separate article on PC World quoted another researcher as saying patch delays between Apple products are a regular occurrence, especially when it comes to fixing WebKit bugs.

Carsten Eiram, chief research officer at Risk Based Security, told PC World via email that it is possible for attackers to "analyze the fixes for one product and create exploits that work against other products and platforms that are not fixed yet."

“We’ve seen for a very long time that Google usually addresses WebKit-related vulnerabilities in Chrome long before Apple does the same in their products. My rough impression from looking at WebKit security fixes is that the delay is around two-three months on average—though I’ve seen some much longer. After Google forked WebKit into Blink it seems to be getting worse,” Eiram said. — Joel Locsin/TJD, GMA News