back to article Got an Apple Mac, iThing? Update it right now – there's a shedload of security holes fixed

Apple has posted security updates and feature improvements for its desktop, mobile, and developer gear. The Cupertino giant today issued updates for iOS, OS X, and watchOS, plus iTunes on Windows, Safari on OS X, and Mac firmware. The OS X El Capitan update also "improves compatibility with Microsoft Office 2016," so if you' …

  1. jzl

    Say what you like about Apple, but at least they've got their OS update strategy sorted on mobile. C'mon Google + OEMs. Step it up.

    1. Steve Davies 3 Silver badge
      Holmes

      Plus they are not forced on you

      unlike another supposedly popular OS that gets mentioned here quite frequently.

    2. Planty Bronze badge

      The update strategy that means they have to update the whole OS each time a secuirty issue crops up? You wait months for the update. Google send out updates really quickly for things like webview as its servived via the play store, as are updates to many other core apps and services.

      Google's strategy is far far superior, which is why Android has had far less (less thsn half) reported issues in 2015 compared to iOS, and the average fix time is 4x better.

      I know this doesn't fit the FUD that's usually spewed about Android, but it's the truth.

      http://www.cvedetails.com/product/15556/Apple-Iphone-Os.html?vendor_id=49

      https://www.cvedetails.com/product/19997/Google-Android.html?vendor_id=1224

      1. Naselus

        "Google's strategy is far far superior"

        Now, I hate Apple as much as the next man, but really, Google's don't have a strategy with Android updates beyond the Nexus. Yes, the iOS invulnerability myth is a lie spread by idiots and fanbois, and yes, iPhones have about as many security problems as any other device, but Apple's got way more control over the distribution vectors than Google's 'let's write an update and hope like hell the OEMs can be arsed handing it out' approach.

        1. Anonymous Coward
          Anonymous Coward

          "...Google's don't have a strategy with Android updates beyond the Nexus.... but Apple's got way more control over the distribution vectors than Google's 'let's write an update and hope like hell the OEMs ..."

          Apple have their own phones and they provide timely updates for them. Google have their own phones and GPE phones that they provide updates to.

          Google also Open Source the software for anyone to use and change as they wish. OEMs do that and create custom versions. Google have made a device independent way of updating a lot of that (the apps, Google Play services etc) but if an OEM has customised open source software then they can't and shouldn't be responsible for it.

          The same way that someone can create a custom Linux system, you wouldn't expect to get updates sent directly. The kernel will be updated and then third party with incorporate it when they are ready.

          The advantage is that you can often use a different Android install that is completely up to date for your handset and not have to worry about the third party if you want to lose their customisations.

          So you either go Apple route and choose a device from the OS provider (Nexus, GPE), go to a third party with a custom OS or use an third party device with a fourth party Android install. So much choice...

        2. Ian Joyner Bronze badge

          Strange - you will find the next man does not have some irrational and pathological dislike of Apple. Apple has done so much for this industry, like invent it (at least the part that says computers are for everyone, not just hobbyist geeks) and still lead it today. Android and Windows before it have just copied.

      2. werdsmith Silver badge

        The update strategy that means they have to update the whole OS each time a secuirty issue crops up?

        No, the smaller security updates are usually just few MB. The whole OS is closer to a 1GB download.

        I recall the recent locked home screen trick was fixed pretty sharpish.

        1. Anonymous Coward
          Anonymous Coward

          The whole OS is closer to a 1GB download

          Er, no, the OSX 10.11.1 installed is exactly 6,180,417,545 bytes - I tend to keep a copy around for emergencies and building boot USB drives :)

      3. Anonymous Coward
        Anonymous Coward

        The update strategy that means they have to update the whole OS each time a secuirty issue crops up? You wait months for the update

        Not quite. The last update was actually rather recent - I must admit I'm getting a bit annoyed with seeing OSX getting to early Windows levels of update frequencies. Next thing you know we get patch Tuesdays, but at least you still have some control over it. On the other hand, this 10.11.1 update was expected - consider it the equivalent to a Service Pack to a new OS and in that context it's actually rather fast.

        As for updating the whole OS, you do have a point. I suspect because it's not just security, usually a point update also included functionality improvements. Otherwise them whole 6180417545 bytes would be indeed rather wasteful..

      4. PassiveSmoking

        As opposed to the update strategy that means you can't update your OS?

  2. rob miller
    Go

    dozens of new emojis - but not these I bet

    http://www.womenyoushouldknow.net/vagina-emojis-are-here/

    1. werdsmith Silver badge

      Re: dozens of new emojis - but not these I bet

      I notice the headline that apple put in the update notification was "150 new emojis".

      Woopy doo.

      They didn't advertise that the new News App is now available without having to flip your territory to USA.

  3. DougS Silver badge

    Closed that jailbreak hole pretty quick

    Used to be a bit slower to close those up. The jailbreak people do them a service by finding holes for Apple to close - not that the tethered attacks are really worth much concern but the untethered jailbreaks are legitimate security bugs that get fixed thanks to the jailbreak folks.

    1. Kevin Fairhurst

      Re: Closed that jailbreak hole pretty quick

      9.1 has been in beta since before 9.01 came out; I suspect that Pangu knew that the full 9.1 release would close the hole, and therefore released the jailbreak for those willing to put tweakability* before security.

      * having insisted on only getting an original iphone once they could be jailbreaked to allow unlocking & custom apps to be run - remember this was before the original app store launched - i have now gone the other way; I no longer see a value in jailbreaking, as it causes more problems than it solves. e.g. my online banking apps can tell if the phone has been jailbreaked, and thus they refuse to work!

      1. Dan 55 Silver badge

        Re: Closed that jailbreak hole pretty quick

        Stick with accessing the website with a browser, do you really trust online banking apps to get the SSL right?

        1. DougS Silver badge

          Re: Closed that jailbreak hole pretty quick

          Why should the apps be any worse than a browser? Apple provides APIs for SSL, and I assume Android does the same, so why should a banking app roll their own? I mean, they can, but so can browsers - and they do: Firefox uses NSS, Chrome used to use it and switched to OpenSSL, and then I believe Google forked that to "BoringSSL". Which API does Android use? Who knows. Is NSS more or less secure than the iOS APIs, and even if NSS is judged "more secure" today how about a month from now if some major exploit is discovered?

          Worrying about the SSL a banking app is using is not high on my list...

          1. Dan 55 Silver badge
            Alert

            Re: Closed that jailbreak hole pretty quick

            It's more than just the app calling a crypto library. The crypto library reports info and error conditions back to the apps but the apps don't verify the authenticity properly, they don't check if they're out of date, they don't check if they've been withdrawn, they don't cope with MITMs, etc.. etc... etc...

            Don't touch banking apps, use a browser. They've had years to get this right, the banking app was knocked up a year or two ago and it looked OK so it passed QA.

            Worrying about the SSL a banking app is using is not high on my list...

            Why, are you a Talk Talk customer?

            http://www.theregister.co.uk/2014/01/13/banking_apps_insecure_and_badly_written_say_researchers/

            http://www.theregister.co.uk/2014/02/14/fake_ssl_cert_peril/

            http://www.theregister.co.uk/2015/04/28/sourcedna_ssl_bug_ios/

            http://www.theregister.co.uk/2014/08/27/coding_flaws_study/

  4. Anonymous Coward
    Trollface

    Apple - "Testing? Yeah, we've heard about it..."

    1. PassiveSmoking

      Because no other software has problems, ever.

    2. Gordon 10 Silver badge

      Or they could just stick a permanent Beta sign on everything like Google do.

  5. Mike Ball

    Airdrop also fixed

    They don't mention fixing Airdrop on OSX - which has been crippled since El Capitan, and now works.

    1. chivo243 Silver badge

      Re: Airdrop also fixed

      I've never seen AirDrop transfer files very fast. That is if you can see your other device in the AirDrop window...

    2. Dan 55 Silver badge

      Re: Airdrop also fixed

      They've still not got the bug which stops you logging into the Mac App Store. I'd have thought they'd have pulled the stops out for that one.

  6. This post has been deleted by its author

    1. Anonymous Coward
      Anonymous Coward

      -----

      Posted with some app

      Is in-message advertising actually allowed in the El Reg forums?

      1. Jim Mitchell
        Facepalm

        @ AC

        Did you click on the "ACME Splaffer" link? I think it is fully in line with the Register mindset.

        http://www.gotati.com/splaffer.html

        1. Anonymous Coward
          Anonymous Coward

          Still - you end up with two lines and a URL added to every post that are of no relevance to the discussion. But hey, if that sort of .sig is acceptable, let's all have a go. Just need to dig up a fortune program now.

          ----

          Entirely handcrafted post

    2. jzl

      Just read your "Acme Splaffer" thing. You have waaaaaay too much free time.

  7. Quortney Fortensplibe
    Mushroom

    Not Much Point Updating the Software...

    When the hardware is allergic to planet Earth!

    Just had a nice run in with Apple, after the display backlight died on £1200+ Macbook Air. The laptop had been well looked after and never had anything spilled on it. Apple quote 'up to £800' to repair and won't do it under warranty because one of the 'Liquid Damage Sensors' has turned very slightly pink which apparently indicates "If not a direct spillage, excessive humidity in the air" –to quote the 'Genius' we spoke to.

    We live in England, fer feck's sake. The air is humid 10 months of the year. Maybe Apple should mark their gear with "Caution: Suitable for Use in California Only".

    Icon for my current opinion of Apple. F**KING C**TS! --->

    </spleen venting>

  8. Darryl

    Does the iOS update fix the annoying grey box that randomly covers the text entry window in the messaging app?

    1. BugabooSue

      Re: "Does the iOS update fix the annoying grey box..."

      Yes it does fix it - or is supposed to. :)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019