Apple Took 3+ Years to Fix FinFisher Trojan Hole

Yet another fine report from krebsonsecurity.com

"The Wall Street Journal this week ran an excellent series on government surveillance tools in the digital age. One story looked at FinFisher, a remote spying Trojan that was marketed to the governments of Egypt, Germany and other nations to permit surreptitious PC and mobile phone surveillance by law enforcement officials. The piece noted that FinFisher’s creators advertised the ability to deploy the Trojan disguised as an update for Apple’s iTunes media player, and that Apple last month fixed the vulnerability that the Trojan leveraged.

But the WSJ series and other media coverage of the story have overlooked one small but crucial detail: A prominent security researcher warned Apple about this dangerous vulnerability in mid-2008, yet the company waited more than 1,200 days to fix the flaw."

Full story here. The exploit used a vulnerability in iTunes that permitted authors to use the update service to introduce malware to the system as though it were signed Apple code.

Definitely take the time to follow the WSJ link for more info on government surveillance. However, as it might make you queasy, you might wait until tomorrow.

That's their MO as it were never give a security report detailling a vulnerability the time of day. Then shortly afterwards lie and say you have a fix in the form of an update.
Sounds like what they just did with the spyware issue

Doesn't surprise me. There are still some hardcore apple fans who still believe Apple products can never have viruses/malware/etc.