Apple App Store apps are often old, vulnerable versions
Walled garden not so safe after all
Regcast training : Hyper-V 3.0, VM high availability and disaster recovery
Apple is publishing outdated software packages, subject to critical security vulnerabilities in some cases, through its App Store.
The problem was discovered by security researcher Joshua Long, who discovered that users who download a copy of Opera via the App Store get a copy of the software released in March.
Opera fixed a critical security flaw in this software (11.01) weeks ago. But the latest 11.11 version of the browser application is not available throughout Apple's App Store - surfers are instead offered a version of the software that's two releases out of date.
The Opera example is not the only example of potential problems, though it is the most serious. Amazon's Kindle app in the App Store dates from as far back as January, for example.
Apple's approval is necessary before software is published via the Mac App Store. This approach has arguably helped prevent the problem of Trojans and other rogue apps that have become a increasing problem in other software marketplaces. However, it does introduce a delay that means Apple is falling short of its promise to "keep track of your apps and tell you when an update is available".
Security savvy Mac users would be better to get updated software from a vendor's own website.
More on the issue can be found in a blog post by Long here. Additional commentary can be found in post by net security firm Sophos here. ®
COMMENTS
Title
I've always found it takes about 7 days to approve an app (or an update) so I agree, if the app is way out of date it's the developer's fault and not Apple's. Would be nice if Apple had a mechanism for an emergency update though.
The Mac App Store isn't a closed garden,,,
This article is fundamentally flawed. Its not a closed garden because you can get both apps directly from the supplier, and you can install apps that aren't in the store. Thus we - and Apple - might expect the developers ensure critical apps phone home for updates. Under these circumstances, keeping versions up-to-date is not as critical as it is in a =real= walled garden such as the iPhone, where Apple is entirely responsible for the apps installed.
What it does say is that Apple are at present a little tardy at reviewing new versions of some apps. Well, surprise surprise - new app store for established platform is a little behind in its homework.
It also might have been more honest if the qualification about it being the MAC store was a little less buried in the prose... given the entirely different operating models of the iOS app store and the Mac app store.
Instead of this guff, what we REALLY want to know is Apple's response to critical vulnerabilities for iPhone and iPad apps.
Oh do fuck off
>>Security savvy Mac users would be better to get updated software from a vendor's own website.
No, Mac App Store is perfectly capable and a brilliant device for updating installed applications. Yesterday it updated 6 apps that I had downloaded because I hadn't run it for a couple of weeks.
So in 3 clicks, I had installed 6 updates, as apposed to visiting 6 different sites, navigating through various download menus, downloading all sorts of crap onto my machine from straight applications, to dmgs, and the whole 9 yards. 20 minutes vs 3 clicks ffs.
No, instead 3 clicks (including clicking on Mac App Store app) and it's all done for me.
IT infrastructure monitoring strategies
Agentless Backup is Not a Myth
Top 10 SIEM implementer’s checklist
Steps to Take Before Choosing a Business Continuity Partner
Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider
