FreeBSD Shines While Apple Fails
Apple is making a lot of money these days. The more money it makes, the greater the contempt for its customers it seems to display. A critical bug recently discovered in FreeBSD, and the speed with which this bug was resolved, illustrates this rather well. If you use Apple's products in your business, be afraid; be very afraid.OS Roundup: FreeBSD's response to a recent bug presents a sharp contrast to how Apple handles similar issues.
Here's how the sorry story unfolds. FreeBSD 8.0 was released last week, and the latest version of the UNIX-like OS was generally received with approval. FreeBSD enjoys a good reputation with its followers, and many OSes and products contain code based on or borrowed from the OS, including Juniper routers, and ironically, as we shall see Mac OS X.
This latest release includes network stack virtualization using a new virtualization container, an improved USB stack, binary compatibility with Fedora 10 Linux, and an update to version 13 of the very wonderful ZFS. And, as they say, much, much more.
So far so good. Until Monday morning, when researcher Nikolaos Rangos announced he discovered "an unbelievable [sic] simple local r00t bug in recent FreeBSD versions," along with some exploit code. The vulnerability affected the 8.0 release, as well as the older 7.1 and 7.0 versions of FreeBSD.
All software has bugs, but it's how people react when things go wrong that you can judge them. Did the FreeBSD folks sit around and do nothing? Did they busy themselves with other things and leave 8.0, 7.1 and 7.0 users vulnerable to pwnage? No, they did not! A matter of hours later Colin Percival, FreeBSD's security officer, made this announcement:
A short time ago a 'local root' exploit was posted to the full-disclosure mailing list; as the name suggests, this allows a local user to execute arbitrary code as root ... since exploit code is already widely available I want to make a patch available ASAP.
And with that, he released said patch.
Now Apple is infamous for being tardy in patching its software, leaving its users vulnerable long after other OS makers have fixed the same problems to protect theirs. This contempt for users is breathtaking, and recently things have got surreally worse: Apple now seems intent on treating developers for its platforms as shoddily as it treats its customers. One such developer is Rogue Amoeba, which makes audio software for OS X and the iPhone OS.
Rogue Amoeba released its Airfoil Speakers Touch software on Apple's AppStore a while back, and it released a new version to fix some issues a while after. Or at least it wanted to. It passed the new version of the software to Apple and expected the company to make it available on the AppStore pronto.
Did Apple make it available? Did Apple ensure its customers had the latest, bug-fixed software straight away? In a couple of days? In a week? A month perhaps? No. It carried on making money, to be sure, by selling the old, buggy version of the software to its iPhone and iPod Touch customers, while it messed around with its approval process that it says is designed get this to protect its customers.
Apparently Rogue Amoeba's software used a graphic Apple wasn't happy with, and despite allowing it in the original version, the company decided it couldn't appear in the update. Some three and a half months later the update was finally allowed to appear in the AppStore, Rogue Amoeba said.
During that time, Rogue Amoeba's customers suffered, Rogue Amoeba suffered and Apple ... profited. In this case the problem was a sound issue, but what if the problem was a security vulnerability in an enterprise app? The possible security implications don't bear thinking about.
This is contempt for its customers and developers of epic proportions, and Rogue Amoeba is not going to put up with it any longer: The company has now abandoned plans to develop for Apple's smartphone platform in the future. Apple's behavior to its customers is quite a contrast to that of the FreeBSD folks, who apparently pulled all the stops to get a bug fix out in a matter of hours. But then FreeBSD doesn't hold its users in contempt while easing the banknotes from their wallets. All credit to them.
The moral of the story? When you dance with the devil, you wait for the song to stop. Apple's customers are learning the hard way that when you dance with Apple, you'll often be kept waiting a long, long time.
Paul Rubens is a journalist based in Marlow on Thames, England. He has been programming, tinkering and generally sitting in front of computer screens since his first encounter with a DEC PDP-11 in 1979.