Tuesday, July 6, 2010

Google, Chinese Researcher Find More iPhone Security Bugs Than Apple

Via The Firewall Blog (Forbes.com) -

If you use an iPhone, Apple just gave you five dozen very pressing reasons to update its software to the new iOS 4 operating system that's released Tuesday: patches for 64 security flaws that would potentially allow a cybercriminal to hack the smartphone.

Good for Apple for admitting and fixing its mistakes. Now if only it were better at finding them.

According to the security advisory that Apple released, only six of the 64 vulnerabilities were found by Apple itself. Google, on the other hand, is credited with finding and reporting twelve of the bugs (thirteen if you count one bug reported by a researcher at soon-to-be-acquired AdMob) and a Chinese researcher named "Wushi" of a group known as team509 is credited with reporting 15 of the vulnerabilities.

In an email, researcher and perennial Apple security gadfly Charlie Miller calls it a "distressing situation" that non-Apple researchers are finding nearly ten times as many Apple security flaws as Apple. "Either Apple isn't looking very hard or isn't very good at finding bugs," he adds. "Perhaps Apple should hire Wushi to help them, since apparently he can find more than twice the bugs their whole security team can find."


On the other hand, Apple should be given some credit for its transparency: Some companies don't even publicly credit the researchers who help them fix their security flaws.

But Apple's marketing claim that its machines are safe "right out of the box" is no longer an excuse for what seems to a lackadaisical approach to monitoring and testing its devices' security. As we've written, the fact that malicious software for Macs isn't commonly seen doesn't mean it's not being used for targeted attacks.

And after all, if Apple believes it's worthwhile to patch this many bugs in its new operating system, it shouldn't leave the work of finding those vulnerabilities to the rest of the security community.

No comments:

Post a Comment