A noted whitehat hacker who spent more than a year on Apple's security team has dealt her former employer some blistering criticism for fixing critical vulnerabilities in iOS three weeks after they became widely known to blackhats.
Kristin Paget, who recently took a security position at a major car manufacturer, took to her private blog Wednesday and catalogued more than a dozen separate security bugs that were patched in Tuesday's release of iOS 7.1.1. Some of them gave attackers the ability to surreptitiously execute malicious code on iPhones and iPads without requiring much or any interaction from end users. Paget noted that 16 of the vulnerabilities addressed had been fixed three weeks earlier in a separate update for OS X users. Such delays give malicious hackers the opportunity to reverse engineer the fixes for one platform and develop potent exploits to use against the same bugs surviving in unpatched platforms, security researchers have long charged.
"Apparently someone needs to sit Apple in front of a chalkboard and make them write out 100 lines: 'I will not use iOS to drop 0day on OS X, nor use OS X to drop 0day on iOS,'" Paget wrote in Wednesday's blog post. Addressing Apple officials directly, Paget continued: