One of the bugs fixed in iOS 9.2.1, released on Tuesday, fixed a bug that could have allowed an attacker to impersonate iPhone and iPad users.
What made one innocuous-looking, run-of-the-mill security patch get more interesting is how long it took Apple to fix.
According to Skycure, which revealed details of the flaw on Wednesday, it took almost three years from the point it was reported in June 2013.
The “captive portal” bug, which we highlighted when the update first crossed the wire, was one of the more notable bugs to patch and difficult to fix.
Here’s how the flaw worked:
When impacted iPhone and iPad users connect to a captive-enabled network — typically these are hotspots at businesses, airports, and coffee shops — a window is shown allowing a hotspot owner to show terms and conditions over a standard, unencrypted connection. Once accepted, the user can browse the web normally. But the embedded browser shares its unencrypted cookie store with Safari.
Simply put, as the researchers explained, an attacker can steal the unencrypted cookies stored on a vulnerable iPhone or iPad, which can lead to impersonation attacks.
The bug affected iPhone 4s and iPad 2 devices and later, Apple’s initial advisory said.
The researchers said the fix was “more complicated than one would imagine,” leading in part to the long wait time.
By today’s standards it’s rare to have a company sit tight for so long and not blow the lid open in order to get the fix pushed out faster. These so-called responsible disclosures typically give companies three months to fix the flaw, and in return they receive a bounty for finding the vulnerability.
Downloading and installing iOS 9.2.1 fixes the vulnerability, and is available over-the-air from the device’s settings menu.
Apple did not immediately respond to comment.