Ahh, so they probably had to restart the QA on the whole release a few days ago (including FaceTime Audio and associated features) after adding the TLS fix at the last minute.
It makes a bit more sense why they'd make us wait a few days, now.
They already knew about the TLS issue. Remember, they found and fixed it themselves. It is not like Apple's release of iOS 7.0.6 was what alerted Apple to the vulnerability in OS X.
The problem was not coordinating the release of 10.9.2 and iOS 7.0.6. The other problem is their patching cycle in general.
This update includes many high severity fixes from mid 2013 and one issue as far back as 2011. That tells you all you need to know about Apple's security program management. They release uncoordinated and when they feel like it, with no sense of urgency. It's convenient for them to just toss critical security fixes in to their 6 month OS updates, so they do.
Some criticize Microsoft for their "slow" patching, but they at least have a dedicated monthly cycle just for security updates, and they will send them out of band if a 0day gets exposed. And rarely will you see them drop 0day on themselves (though this wasn't always the case).
It makes a bit more sense why they'd make us wait a few days, now.
It's still terrible. They should have pushed out a fix for this vulnerability first and push back 10.9.2 if necessary. Or perhaps introduce a modern package system for the base system.
You still need a minimal amount of testing and release packing. 4 days for an OS update is pretty good response time IMHO, and I thank the Apple engineers that probably worked their asses off to get this mess sorted out.
What this doesn't excuse is disclosing the iOS bug before all fixes are ready. THAT was the major scrweup.
Nope, I disagree. Microsoft releases emergency hotfixes within about 24 hours usually, if a security vuln is critical enough. And this one is definitely extremely critical.
Let's be honest, Microsoft is better at security than Apple, mostly as auto-immune response, but regardless of the cause, they've been battle-tested and they know how to handle it.
Microsoft has had to deal with more security issues for obvious reasons. Apple has not had a serious security protocol on the basis of assuming the platform is flaw free. Even if that were the case, it's how seriously and professionally each is handled is what builds or breaks PR/credibility. IOW, you're only as good as your last performance.
Did you read the release notes? There were several arbitrary code exec overflows and a sandbox bypass that were patched as well. Nobody is freaking out that these took days or weeks to ship...
4 days for an OS update is pretty good response time IMHO
For quite a serious vulnerability, which requires removing one goto statement to solve? I am not sure by what standards that is a good response time. There is surely something wrong with Apple's procedures here.
Yes, if you don't test and it stops all the devices with X installed you will have a lot of unhappy customers. And no fix, however simple is risk free.
They could have done the OSX testing at the same time as the iOS and the AppleTV testing. Remember, it's not 4 days response time, it's (4 days + however long the ios response time was). They unleashed a 0day on themselves.
Apple had more than 4 days. Apple knew about and fixed the iOS bug. We don't know when they became aware of the SSL bug (in iOS & OSX), but it certainly wasn't on the day that Apple released the OSX bug
Its totally unacceptable. Even Microsoft does patches of this severity in less than 24 hours.
I suspect what this points to is that Apple doesn't have automated testing and they need a bunch of old school "hands on keyboards testers" to run a test case list that takes 4 days.
The parent 'suspects' and doesn't actually know. It's not 'totally unacceptable' either. It's over a weekend and it's a set of trade offs about cutting a release made by a bunch of smart engineers who were probably very tired (last week for them has probably sucked) and they've just pulled a long weekend to get this out the door.
If you find this 'totally unacceptable', my suggestion would be to either go join them and help them improve the situation or to move to another OS. Bitching on the internet merely indicates how little experience you have with the trade offs that need to be made when pushing latge volumes of software.
> my suggestion would be to either go join them and help them improve the situation
Uhh no, we're customers. I don't find it unacceptable but if I did, it's within my rights to say so without "help[ing] them" as I pay the Apple Tax happily and repeatedly.
"Even Microsoft" is terribly wrong. In fact Microsoft is several years in advance to other software companies regarding security lifecycle of its products.
I think it's more likely that both were in the pipeline, and QA finished iOS 7.0.6 first - last week, and QA for 10.9.2 was slated to finish this week. So do you hold it or not?
Is it more critical to have 4 days of protection, or 4 days of "WTF is Apple incompetent" press?
It makes a bit more sense why they'd make us wait a few days, now.