Is iPatch Tuesday In Apple's Future? - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile // Mobile Devices
09:17 AM
Larry Seltzer
Larry Seltzer
Connect Directly

Is iPatch Tuesday In Apple's Future?

iOS devices are all over the enterprise. Security threats against them might or might not exist, but they are certainly possible. The only responsible course of action for Apple is to make its update process transparent and predictable.

patched apple logo
It's an odd thing about Apple that the iPhone and iPad have made it an important player in enterprise computing. And yet, it doesn't seem to want to talk about it. It's as if Apple is embarrassed to be dealing with big business. It certainly doesn't have a history of adapting its practices to the needs of enterprises, which is a way of life for Microsoft. How much longer can this go on?

But in spite of Apple ignoring them, big businesses bought iPhones and iPads as fast as they could and are trying to use them for real business computing. And, while you won't find Apple bragging about it in public, the iPhone has many features that are there because businesses demand them--features like IT policy-enforced device encryption and remote wipe, both available through (somewhat ironically) Microsoft ActiveSync.

An Apple business practice that doesn't really work for business is its vulnerability patching. Security updates to iOS can appear out of the blue. This is not a good thing from a business standpoint.

Microsoft long ago recognized that businesses with large numbers of computers to manage wanted to be able to plan for patching events, so it instituted "Patch Tuesday". Updates to products happen on the second Tuesday of the month. On the previous Thursday Microsoft releases an Advance Notification which lists the affected products, the number of updates, their severity, and whether reboots might be required. If a severe enough event pops up, Microsoft might issue an off-schedule or "out of band" update, but there have been few of these.

Businesses can use this information to plan, and the practice has been a success. It has even been emulated by other major software companies, such as Oracle and Adobe. It's also not uncommon for other software companies to release their own updates for Microsoft's Patch Tuesday, perhaps to hide behind the negative publicity Microsoft inevitably receives.

Dr. Charlie Miller is principal research consultant at Accuvant LABS and perhaps the most famous and successful researcher of Apple security issues. Click here to read a BYTE interview with Dr. Miller.

But Apple likes to "think different." When a security update for iOS comes out it's usually without any real warning and IT has to decide what to do. Large enterprises often use management systems, including MDM or Mobile Device Management such as MobileIron, which includes an enterprise app store. This allows IT not only to distribute its own applications to its users without having to include them in the Apple App Store, but to manage the distribution of Apple's and third parties' apps.

With tools like this available, all that's left for Apple to do is provide some regularity and guidance to customers for upcoming patch events. This would allow it to plan for rolling out the patches in a sane and organized manner, as opposed to blasting it out to everyone all at once.

Mark Kelly of Information Security HeadQuarters argues for this in his blog. Kelly goes further, predicting that an iOS security incident "responsible for a big intellectual property loss" will happen in the next six months. It's completely plausible, but unless he's planning to conduct the attack himself he can't really know.

The myth of Apple's immunity to security breaches has no currency in the security community and the message is finally getting through to mainstream users and IT. Mac OS X and iOS are different, though. Mass attacks are a reasonable scenario for Mac users and there have been some, but for iOS the App Store model makes mass attacks very difficult to conduct.

Targeted attacks are another matter. If a hacker knows a certain company uses iOS, he could certainly put an exploit of an unpatched iOS vulnerability up on a website and lure a company employee to it with a targeted e-mail. Such attacks are more expensive and risky to conduct so they would only be used for high-value targets. It's possible there have already been such attacks and they've either gone unnoticed or have been successfully hushed up.

Either way, the threat is there and real in spite of the formidable security of the App Store. The right way to deal with it is to put the patching system on a more professional basis, with a known schedule and some advance notification--both for iOS and OS X. Kelly predicts this too: "Within one year Apple will establish a fixed monthly patch window date." I won't go that far. Apple seems reluctant to take formal and public measures for security, especially for business. But I hope I'm wrong.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Data Science: How the Pandemic Has Affected 10 Popular Jobs
Cynthia Harvey, Freelance Journalist, InformationWeek,  9/9/2020
The Growing Security Priority for DevOps and Cloud Migration
Joao-Pierre S. Ruth, Senior Writer,  9/3/2020
Dark Side of AI: How to Make Artificial Intelligence Trustworthy
Guest Commentary, Guest Commentary,  9/15/2020
White Papers
Register for InformationWeek Newsletters
Current Issue
IT Automation Transforms Network Management
In this special report we will examine the layers of automation and orchestration in IT operations, and how they can provide high availability and greater scale for modern applications and business demands.
Flash Poll