Security News > 2022 > November > S3 Ep107: Eight months to kick out the crooks and you think that’s GOOD? [Audio + Text]
Now, the critical update actually, it turned out that while investigating the first update, they found a second related update, so there are actually two of them those only apply to OpenSSL 3.0, not to 1.1.1.
DUCK. Well, the critical deal here is when we wrote about the update that included iOS 16.1 and iPadOS 16, which actually turned out to be iPadOS 16.1 after all.
Lo and behold, as good fortune would have it, they suddenly sent out a notification saying, "Hey, iOS 15.7.1 is out, and it fixes exactly the same holes that iOS 16.1 and iPadOS 16/16.1 did."
So you're going to either want to put mitigations in your own code to do the buffer length check correctly yourself, or to apply any needed updates when they come out.
DUCK. Eight and a half months later, isn't it?
They had a third party forensics team, they had all the experts in, and more than *eight months* later they said, "Hey, guess what guys, we think we've kicked the crooks out now"?