Monday, May 7, 2018

What Do Security Updates Actually Fix?

Howard Oakley:

Apple claimed that all the 12,621 files installed in that security update were required to fix a memory corruption bug in Crash Reporter, and to address a spoofing issue in the handling of URLs in text messages (which Apple associated with “LinkPresentation”). Those were and remain the only fixes which Apple has listed as being included in that security update. Only last year, a typical security update of that size was accompanied by notes on 50 or more bugs which were fixed.

[…]

Apple is also in the habit of updating its security release notes after the release of that update. In some circumstances, where details of the vulnerability haven’t yet been released, and with contentious issues such as Meltdown and Spectre, this appears reasonable. But in several recent cases, Apple has later added details of fixes which appear simply to have been omitted from the original release notes. Unless you are in the habit of frequently re-reading release notes at Apple’s security updates listings, this means that you are likely to miss such delayed information.

[…]

Sarah did the right thing, and reported the bug to Apple, only to learn that she was not the first to do so. But Apple has still not revealed when the partial fix occurred, nor acknowledged that it delivered a complete fix in 10.13.4.

Previously: High Sierra Stored APFS Volume Passwords in Log Files.

1 Comment RSS · Twitter


perhaps fixes for 10.12 and older are coming, so they are keeping mum for now.

Leave a Comment