I wasn’t really expecting to write about “government Trojans” on this blog, though it’s come up several times elsewhere, as in blogs by Robert Lipovsky and David Harley at ESET, not to mention an AVAR conference paper David and Craig Johnston presented some time ago. And in fact, while the commentary on FinFisher in Brian Krebs article on Apple Took 3+ Years to Fix FinFisher Trojan Hole, it’s obviously the unusually long delay in patching the iTunes vulnerability that underpinned FinFisher that catches the eye: Krebs first wrote about the vulnerability for the Washington Post in 2008, and says that Apple were notified on July 11th of that year.
While most commentators seem to be assuming that this is probably a case of slipping attention on Apple’s part, I have seen it suggested (not by Krebs) that the company (a) might have been requested to leave the hole unplugged so that a government trojan could continue to operate (b) left it unplugged because it only affected Windows users.
Neither seems likely to me: Apple may or may not care about users of its Windows software, but it does care about its own reputation, and neither of those ideas would reflect well upon the company ethically. Sometimes, the cock-up theory just seems so much more likely than the conspiracy theory.