CMA on WebKit Security Bugs
Open Web Advocacy (Hacker News):
The CMA [UK Competition and Markets Authority] says [Apple’s browser] ban not only doesn’t protect security it could make it worse!
[…]
Out of each of the three major browser engines, Safari has had the had highest number of Browser Code Execution Vulnerabilities.
[…]
If we look at how long it takes Apple to patch vulnerabilities the picture looks even worse.
[…]
Apple doesn’t even apply all the patches to versions of the operating system that are still heavily used. When iOS 15 only had 0.93% of users installed, Apple wasn’t applying all of those security patches to iOS 14.
When lobbying against such initiatives as the Open App Markets Act, Apple emphasizes two pet pretexts: privacy and security--and in order to give the term security more gravitas, Apple--and all sorts of people beholden to it--stress that it’s about national security. What no one can deny is that Apple is the market leader in the U.S. smartphone business, so security issues affecting the iPhone are, by extension, an issue of concern to the country as a whole. But at the heart of Apple’s national security argument resides a total non sequitur:
Apple considers it an axiom that whatever Apple does is inherently secure, and whatever anyone else does is inherently insecure. It’s Apple’s version of what’s called infallibility in connection with various religions.
[…]
What I find so interesting about the OWA’s work (by the way, here’s a link to their response to the UK CMA’s interim report) is that they’ve compiled information that throws into doubt Apple’s conclusory claim of monopolistic behavior being in the interest of (national) security.
Previously:
- Open Web Advocacy
- The Time to Fix Web Security Bugs
- The Danger of Sideloading Chromium
- “American Innovation and Choice Online” and “Open Markets” Acts
- Safari 15 IndexedDB Information Leaks
- Security Researchers Unhappy With Apple’s Bug Bounty Program
1 Comment RSS · Twitter
At this point does anyone actually take Apple seriously when they justify these sorts of things in the name of security and privacy?