Single line of code, but still no fix; former Apple security engineer Paget to Apple: ‘FIX. YOUR. SHIT.’

12 years ago

Kristin Paget, former Apple security engineer, has posted the following via Kristin Paget’s Blog:

Okay, so iOS 7.0.6 happened – the short version is that Apple broke SSL. Oops. Oh well, it happens, apply the patch yadda yadda yadda.

What didn’t happen was the corresponding OS X patch. At least not yet.

WHAT THE EVER LOVING F**K, APPLE??!?!! Did you seriously just use one of your platforms to drop an SSL 0day on your other platform? As I sit here on my mac I’m vulnerable to this and there’s nothing I can do, because you couldn’t release a patch for both platforms at the same time? You do know there’s a bunch of live, working exploits for this out in the wild right now, right? Your advisory is entirely focussed on iOS so we know nothing of OS X yet (other than the fact that the exploits work) – could you tell us what in OS X is vulnerable? Is mail.app vulnerable? Should I be worried about malicious SSL/TLS mailservers? How about your update system itself – is that vulnerable?

Come the hell on, Apple. You just dropped an ugly 0day on us and then went home for the weekend – goto fail indeed.

FIX. YOUR. SHIT.

Soon.

Please?

Love and hugs as always,

Me <3

Source Kristin Paget’s Blog

MacDailyNews Take: No arguments here.

Dear Apple,

Every second that passes without a fix that removes one line of code just makes you look that much more incompetent.

1. Highlight second “goto fail;” and press “delete” key
2. Release security update
3. There is no step 3.

Insecurely yours,

MacDailyNews

—

Even if the fix is more involved than our humorous example above, this has already taken too long. Ever get the feeling that of Apple’s 80,000 employees, only about 5 are actually allowed to do any of the real work? Why does the world’s most valuable company always seem to be stretched too thin?