Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Uncommunicative About Security Holes

Posted by pudge on from the raising-you-one-worm dept.

blackmonday writes "Kieren McCarthy of Techworld argues that Mac OS X is rife with security holes, and that Apple is doing a 'half-hearted' job of patching their operating system security holes, and has a 'strange habit of pretending a big problem is of no significance.' As a Mac user I find this an intriguing article in light of the Sasser Worm and its recent variants." Despite the article's assertions, no evidence of widespread security problems, or lack of effort to solve them, is offered. The only real question is Apple's lack of communication with the public in the nature of the problems.

8 of 573 comments (clear)

  1. Re:Reasons why... by talaper · · Score: 5, Informative

    Funny, Microsoft gets attacked at slashdot for taking too long to patch an issue, and Apple gets a free pass for ignoring them?

    you're statement is a bit misleading - Apple doesn't ignore security holes, they fix them quickly and quietly before anybody realizes where they are. that's a BIG difference.

  2. Apple knows its audience by Reverberant · · Score: 5, Informative

    A comment in response to the Scobleizer blog said it best:

    Eh, I think @stake is just whining. The security update on the apple site is written for consumers, not security experts. The knowledgebase article: http://docs.info.apple.com/article.html?artnum=617 98 clearly lists the CAN number. Plugging in that CAN number into google gets me straight to the @stake advisory here: http://www.atstake.com/research/advisories/2004/a0 50304-1.txt

    Personally, I don't think apple is trying to hide anything, they are just assuming that calling it a "a pre-authentication, remotely exploitable stack buffer overflow" would confuse consumers. The knowledgebase article contains all the info a technical person would need to find out more.

    Speaking of "full disclosure" - the criticism came from @stake, which is a vendor to Microsoft and fired one of their employees for criticizing Microsoft in a report. :)

  3. Re:Reasons why... by neuroticia · · Score: 5, Informative

    Wrong analogy. Your analogy applies more to the single user advertising "I have an unpatched system!"

    It's more along the lines of a Gym realizing that their locksmith put identical locks on every single locker in the locker room. They can say "Oh. Crap. There's a problem, let's tell our users so that they can decide to use an unsecure locker or not." Or they can say "Maybe no one will notice, the locksmith will be here in a couple of hours anyway."

    Still not the perfect analogy, but when you have a large group of people that are operating under the assumption that something is secure, and you don't tell them so that they can take steps to modify their behavior until the security is increased... It's like knowing there's a potential terrorist attack pending, but not telling anyone about it so that they can avoid public areas.

    If there's a vulnurability with something, I prefer to know so that I can avoid a particular action until there is a patch. If I don't know, I go on blissfully unaware and may not even download the patch right away as it becomes available. (Especially since Apple has unusually large patches sometimes.)

    -Sara

  4. Re:Wow, this is pointless by Elwood+P+Dowd · · Score: 5, Informative

    DO they ship apache with every copy of mac os x?

    Yes. The configuration is difficult to deal with, but it certainly ships on every OS X machine.

    The long story is that you have to go to the "System Preferences" application, click on the "Sharing" panel, and check the box marked "Personal Web Sharing".

    I realize that had a lot of "tech" "jargon", but that's how you configure Apache on Mac OS X.

    --

    There are no trails. There are no trees out here.
  5. Re:Where's the evidence??? by SLot · · Score: 5, Informative

    Can you name a single Windows flaw that was in the kernel?

    http://www.net-security.org/vuln.php?id=3401
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CAN-2003-0112

    I don't think Microsoft has ever released a patch to the Windows kernel via Windows Update. Can anyone confirm this?

    http://www.microsoft.com/technet/security/bulletin /MS03-013.mspx

    Google is your friend.

  6. Re:Reasons why... by 47Ronin · · Score: 5, Informative

    Perspective: people are surprised by all the security updates that Apple releases.

    Fact: By default, NONE of the exploitable holes are available by DEFAULT out of the box. There are ZERO services running, so no remote vulnerabilities. ...which is a ton more secure than a Windows PC out of the box (and some linux boxes). The only time the Mac OS X system can be compromised is if the exploitable services are turned on. Most of these are exploits to open-source software such as Apache, OpenSSL, CUPS. Recently, AFS was patched and that isn't even running when you turn on a Mac.

    --
    Those who laugh at you for you having a Mac.. are the people who constantly call you to fix their PC.
  7. Re:update mechanisms by sjlutz · · Score: 5, Informative
    I've seen Windows and Microsoft bashed enough on Slashdot, and sometimes for good reasons, but I have to say that the parent post is completely wrong.

    1) The Windows Update is installed by default, and (annoyingly) pops up when using a new computer until you tell it what to do. The options are simple: 1) Enable Windows Update (on by default). a) Notify before downloading, b) Download automatically, but don't install. c) Auto-download, and auto-install at scheduled time. Default is Updates ON, but just to notify.

    2) Yes, in the past there have been a couple windows updates that were not up to par, but they have become much better. The last problem one I remember was about 2 years ago with an Exchange Update (not security related) messing up an existing exchange server. I have yet to have a security update mess anything up, and I run about 100 windows servers. Like any update, I do test on a non-production box (like staging server or development server) before I push to production, but I have yet to have a problem.

  8. Re:update mechanisms by TechniMyoko · · Score: 5, Informative
    Windows Update is semi automatic. It downloads the patches rated critical, and asks permission to install them.

    As for some patches causing trouble, I seem to remember an update for OSX that neutered the network adapter.

    As for DLL hell, that was cured in XP/2K which keeps multiple versions of DLLs