Mac App Store delays critical updates

reghakr

Essential Member
The Mac App Store is the recently launched integrated application store for Mac OS X which brings the experience of the iPhone and iPad App Store to Apple's general purpose operating system. For the user, this promises a one-stop shop for Mac applications and easy installation and updating. But security expert Joshua Long has noted in a blog posting that the time taken by Apple to approve an application for the Mac App Store may be putting users at risk.

As an example, Long cites the Opera browser in the Mac App Store. A new version of Opera was released on Wednesday – version Link Removed due to 404 Error – to fix a critical hole in the previous version 11.10. There is no update for the version in the Mac App Store which is still at version 11.01 rather than 11.10; however, according to the change log, 11.10 contained no security fixes. Long contacted Opera Software who told him that they were waiting for App Store approval on the new version and directed him to download the new version from www.opera.com/download/.

In testing at The H, downloading the 11.01 version from the Mac App Store and then running it immediately displayed an "Upgrade now!" dialog which, when clicked, downloads the 11.11 version. The new version is installed by dragging it into the Applications folder, but, because the previous version was installed with administrator privilege by the Mac App Store, the user has to manually delete the previous version first, which will require them to enter their password. Once they have done that, they can then drag the new version into place. The new version is no longer updated by the Mac App Store but by Opera's own auto-upgrade process.

Long also noted that Amazon's Kindle application in the store was version 1.2.3, whereas Amazon are currently shipping version 1.5.1. He was, though, unsure if there were any security updates in that as Amazon do not publish change logs. Applications in the Mac App Store are digitally signed and may not have their own built in update routines; they are updated through the Mac App Store client application. This does offer convenience but it appears that, at least in this case, where applications need to be updated rapidly because of a security issue, the Mac App Store approval process adds several days' delay into the process. Those extra days could be exploited by an attacker who learned the details of the flaw when the application maker published an advisory to go with the new version.

Source: Mac App Store delays critical updates - The H Security: News and Features
 
Apple’s Mac App Store puts users at risk because it is slow to update vulnerable software, a security researcher said May 18.

The researcher noted the Opera browser had not been updated on the Mac App Store since March 1.

Since May 18, however, Opera has released two updates to add features, fix crash bugs, and patch vulnerabilities. Opera updated to version 11.11 May 18, which closed a critical hole that could be exploited by attackers to infect a Mac with malicious code.

“Users who rely on the App Store to tell them whether their software is up-to-date may not be aware of the security risks and may continue to use an unsafe version of the Opera browser,” the researcher said.

When Apple launched the Mac App Store in January 2010, one of the online mart’s selling points was it would automatically notify customers when updates were available.

The researcher’s argument is Apple failed to make good on the promise. “Mac users who have downloaded Opera through the App Store may find themselves using a copy of Opera that is now two versions old,” he said.

Source:
Mac App Store's slow updates expose users to security risks - Computerworld
 
Back
Top