Mac App Store delays critical updates
The Mac App Store is the recently launched integrated application store for Mac OS X which brings the experience of the iPhone and iPad App Store to Apple's general purpose operating system. For the user, this promises a one-stop shop for Mac applications and easy installation and updating. But security expert Joshua Long has noted in a blog posting that the time taken by Apple to approve an application for the Mac App Store may be putting users at risk.
As an example, Long cites the Opera browser in the Mac App Store. A new version of Opera was released on Wednesday – version 11.11 – to fix a critical hole in the previous version 11.10. There is no update for the version in the Mac App Store which is still at version 11.01 rather than 11.10; however, according to the change log, 11.10 contained no security fixes. Long contacted Opera Software who told him that they were waiting for App Store approval on the new version and directed him to download the new version from www.opera.com/download/.
In testing at The H, downloading the 11.01 version from the Mac App Store and then running it immediately displayed an "Upgrade now!" dialog which, when clicked, downloads the 11.11 version. The new version is installed by dragging it into the Applications folder, but, because the previous version was installed with administrator privilege by the Mac App Store, the user has to manually delete the previous version first, which will require them to enter their password. Once they have done that, they can then drag the new version into place. The new version is no longer updated by the Mac App Store but by Opera's own auto-upgrade process.
Long also noted that Amazon's Kindle application in the store was version 1.2.3, whereas Amazon are currently shipping version 1.5.1. He was, though, unsure if there were any security updates in that as Amazon do not publish change logs. Applications in the Mac App Store are digitally signed and may not have their own built in update routines; they are updated through the Mac App Store client application. This does offer convenience but it appears that, at least in this case, where applications need to be updated rapidly because of a security issue, the Mac App Store approval process adds several days' delay into the process. Those extra days could be exploited by an attacker who learned the details of the flaw when the application maker published an advisory to go with the new version.