guest - flak

as always bundling fixes is bad

I generally like my iPhone. I think it’s fairly secure, and Apple seems pretty motivated to keep it that way (even if they don’t have the purest intentions, caring perhaps more about jailbreaking than my safety). But the way the way they go about releasing security fixes is terrible.

Highlighting two lines from a preview of iOS 8.3. First:

“As always, it’s a good idea to wait a few days to see if the update causes any problems.”

Sound advice. My phone is pretty important. I don’t like when it doesn’t work.

“As always, the iOS update includes a slew of security fixes.”

Cupertino, we have a problem.

I figure 24 hours is about the amount of time it takes from a security patch to be released until weaponized exploits show up. After that, if you’re not patched, you’re living dangerously, depending on the nature of the bug. Bundling new features with a high risk of regression with security fixes means users wait to upgrade.

The iOS 8.3 update is 280MB. It can’t even be downloaded over the air, only via wifi. Security patches are important enough that they should always be made available separately. Then I could download them, even OTA, without fear of regression.

What aggravates me most is that this is business as usual. As always. We’re training people not to patch. Users should be embarrassed to admit they’re running unpatched software; instead it’s regarded as the prudent choice.

Posted 2015-04-09 16:02:55 by tedu Updated: 2015-04-09 16:02:55
Tagged: gadget security