NEW YORK — So much for the argument “Apple computers are safer and bug-free.”
It’s not true. We’re accustomed to annoying glitches in PCs. But the past few years have shown that Macs, iPads and iPhones have them too.
So far in 2015, five major flaws have affected Apple products.
Just this week, we encountered a nasty bug that lets hackers bury computer viruses so deep inside Macs, you’ll never find it. A week earlier, a flaw appeared that lets a text message crash an iPhone.
These are significant issues, and neither has been fixed yet.
Faulty code is found in every operating system, app and software program. But Apple has an outdated strategy for fixing them.
Remember when Apple would advertise it was safer than Windows? No more. Apple is now where Microsoft was a decade ago.
Computer engineers, hackers and people familiar with the company’s practices explained that Apple is doing five things wrong in its approach to security.
1) Apple’s security updates are irregular and infrequent. Last year, it took Apple 100 days to fix a problem that some folks at Google found. (And when Apple finally did patch the hole, its supposed fix was weak and easily bypassed by hackers.)
In 2012, Oracle quickly moved to patch its Java program that was susceptible to a terrible, information-stealing malware called Flashback. But Apple waited two whole months to issue a fix — even though an estimated 650,000 Macs were infected.
“They don’t appear to have a regular patch schedule like Microsoft, nor do they appear to patch continuously like Google does with Chrome,” said Tod Beardsley, a research manager at cybersecurity firm Rapid7.. “Sometimes, patches are slow to arrive, but then again, sometimes patches are difficult to develop.”
Sure, issuing quick fixes sometimes backfires. In this sense, Apple treats bugs like it does products. It’s usually a little late to the game, but it plans to do the job right.
But waiting too long can have devastating effects, leaving Apple customers vulnerable to hacks and theft of personal information.
2) Secrecy. Apple keeps quiet about its security holes.
For example, Apple didn’t admit the latest Mac bug is even real (because that would entice hackers to exploit it). And while it acknowledges the text message flaw and offers advice for how to fix it, Apple hasn’t explained the bug’s root cause.
“Apple works in mysterious ways. It has a reputation for being tight-lipped when it comes to confirming the existence of security issues,” Beardsley said.
Transparency would keep customers alert and help the large community of Apple developers suggest fixes. In this sense, secrecy is harmful.
3) Updates are only for the latest software. If you’re still using old versions of the Mac operating system, Apple has forsaken you.
For example, Apple patched a serious vulnerability in April — but only for its latest version, Yosemite. That means it left behind 47% of its users, those who use the operating systems Mavericks, Mountain Lion, Lion, and Snow Leopard, according to industry figures gathered by Net Market Share.
Apple’s defense? Customers can upgrade to the latest version for free. That’s true, but not entirely fair. Some older laptops can’t handle the latest software.
4) Unwillingness to pay. Apple is one of the only major tech companies that doesn’t reward researchers — with money — for finding potentially disastrous computer bugs.
Although criminals and spies are willing to pay $150,000 for an iPhone bug that hasn’t been made public, Apple pays nothing. Zip. Zilch.
5) No admission of guilt. This is what frustrates security folks the most. Apple doesn’t tend to acknowledge when it’s wrong. When hackers broke into celebrity iCloud accounts and exposed nude photos last year, Apple CEO Tim Cook said the company would beef up security measures. But he blamed users, saying the problem was “not really an engineering thing.”
But security features that would have prevented the celebrity iCloud episode — like requiring a text message as a second passcode — are precisely an engineering problem. To Apple’s credit, it eventually added that crucial feature to iCloud.
Dealing with Apple isn’t easy. Security researcher Xeno Kovah said that even in the most serious cases, when he had to report a critical software flaw to the Carnegie Mellon’s Computer Emergency Readiness Team, Apple was still not as “responsive or accurate” as other companies.
“Apple has a bug fixing problem,” he said.
It’s so bad that 684 independent Apple developers launched a formal campaign in 2012 and wrote a letter begging Apple to improve its bug-reporting system. They say little has changed.
Apple declined to comment for this story.
How Microsoft did it
Some of the best Apple hackers tell CNNMoney that Apple’s bug-reporting system needs an overhaul, similar to the one Microsoft went through years ago.
Microsoft had to go through a long and painful awakening. Think back 15 years ago, when Windows products were the most used — and hated. They were notoriously buggy. But then came a corporate turnaround.
In 2003, Microsoft introduced Patch Tuesday. Once a month, users would get a flood of updates to keep them safe. In 2005, Microsoft started hosting Blue Hat, an invitation-only security conference to meet face-to-face with curious (and often aggressive) researchers. Apple doesn’t host a forum like that.
One of Microsoft’s most successful strategies in improving security has been its “bug bounty” program, which was implemented in 2013. Microsoft stopped fighting the legion of hackers — and turned them into a ragtag army of Microsoft guardians.
“Microsoft had worm after worm before meaningful security changes were made,” said Katie Moussouris, Microsoft’s former chief security strategist who implemented the bug bounty program. “Hopefully, Apple will adapt quickly.”
Why the added pressure on Apple all of a sudden? The company is “a victim of its own success,” Moussouris explained. Apple products are more popular than ever. More fingers on keyboards means more code is being explored. Inevitably, bugs will be found.
The good news: Apple is listening. And changes are coming.
Apple is aware of these issues, and the company is trying to improve how it communicates with researchers, according to a person familiar with the company’s plans. Its main challenge now is dealing with its rapid growth. Apple gets inundated with reports about possible flaws, and its security team wants to do a better job of paying closer attention to the big security issues, separating the real bugs from the fake ones.