Apple Took 3+ Years to Fix FinFisher Trojan Hole
Yet another fine report from krebsonsecurity.com
"The Wall Street Journal this week ran an excellent series on government surveillance tools in the digital age. One story looked at FinFisher, a remote spying Trojan that was marketed to the governments of Egypt, Germany and other nations to permit surreptitious PC and mobile phone surveillance by law enforcement officials. The piece noted that FinFisher’s creators advertised the ability to deploy the Trojan disguised as an update for Apple’s iTunes media player, and that Apple last month fixed the vulnerability that the Trojan leveraged.
But the WSJ series and other media coverage of the story have overlooked one small but crucial detail: A prominent security researcher warned Apple about this dangerous vulnerability in mid-2008, yet the company waited more than 1,200 days to fix the flaw."
Full story here. The exploit used a vulnerability in iTunes that permitted authors to use the update service to introduce malware to the system as though it were signed Apple code.
Definitely take the time to follow the WSJ link for more info on government surveillance. However, as it might make you queasy, you might wait until tomorrow.