Mastodon Feed: Post

slightlyoff@toot.cafe ("Alex Russell") wrote:

Back in '22, regulators started peering over their glasses at Apple's indefensible [1][2] claim that forced monoculture was Good For Users, Actually.

To deflect, Apple introduced "Rapid Security Responses":

https://www.macobserver.com/news/apple-launches-rapid-security-response-a-new-feature-for-applying-security-updates-on-the-fly/

How's that going?

LOL.

Apple tried one (1) RSR in '23, [3] and* never again*.[4] Prolly because **it didn't work**:

https://arstechnica.com/security/2023/07/apple-releases-quickly-pulls-rapid-security-response-update-for-0-day-webkit-bug/

[1]: https://www.theregister.com/2021/05/27/safari_webkit_bug/
[2]: https://googleprojectzero.blogspot.com/2022/02/a-walk-through-project-zero-metrics.html#h.4ajnbffcm6lj
[3]: https://support.apple.com/en-us/121012
[4]: https://support.apple.com/en-us/100100

Attachments:

• Apple's WebKit/Safari patch gap has historically sucked by comparison to other vendors, not so much because they're slower to accept patches, but because bundling the browser with the OS is a terrible idea, but one Cupertino can't shake. And it turns out, "Rapid Security Response" didn't work, either. The answer is obvious -- decouple, and spend what it takes to make security a priority -- but that's not The FruitCo Way. (remote)