Apple Uncommunicative About Security Holes
blackmonday writes "Kieren McCarthy of Techworld argues that Mac OS X is rife with security holes, and that Apple is doing a 'half-hearted' job of patching their operating system security holes, and has a 'strange habit of pretending a big problem is of no significance.' As a Mac user I find this an intriguing article in light of the Sasser Worm and its recent variants." Despite the article's assertions, no evidence of widespread security problems, or lack of effort to solve them, is offered. The only real question is Apple's lack of communication with the public in the nature of the problems.
The whole thrust of the article seems to be "There might be dozens of holes in OSX, how do we know?". Seems making an argument like that, they shouldn't be comparing it to another proprietary system like Windows but instead Linux or *BSD. And then they mention a hole in Apache? WTF? Not Apple's problem.
I won't say that maybe Apple isn't doing all it could on security holes- I will mention that I've never heard of a mac worm, a root exploit that's actually been carried out against a mac, and so forth. But maybe there's some sort of story about Apple being a little behind on patches occasionally.
However, with all due respect to Techworld and the author, this is really a pathetic attempt at a story. Biases half-truths, no principle of charity (regardless of Apple's good record of *actual* security exploits- not the whole story, but a major part of it) with a comparison to Windows security where somehow Microsoft comes out on top, no hard figures, a poor understanding of security as a whole, and, though it may be a low blow, not very good prose (it seems rushed- i.e. one statement is "Apple's half-hearted effort to these holes can be found here." There's really no proof (hard or soft) for any of the assertions in the article.
In conclusion, there's really really nothing to see here.
RD
I am getting sick and tired of so called "Tech Security" companies who create FUD just to sell their products.
"Slashdot, where telling the truth is overrated but lying is insightful."
I read the article - I can't believe that the editors (are there any?) let this article see the light of day. Sure, there are security holes in Mac OS. It's a given that any OS has some kind of bug or flaw that, when properly exploited, will cause a DOS, crash or improper security. But this author is speculating (or, using speculation as source material).
Any OS based on a solid Unix core (Darwin, Linux, AIX) is going to be much more secure than any Windows kernel - at least at this point. It remains to be seen if Microsoft can build a reliable, secure kernel.Oh, and by the way, how many flaws, and how bad are they, are in Linux and Mac OS compared to windows? Having administered global networks of >1000 Windows workstations and servers, I'll take a similarly sized Linux network ANY day, if security is paramount.
Windows is insecure. So is MacOS X, Linux, BSD, Solaris etc if run by an incompetent admin. One system I had to fix was a hardened install of Solaris that was running VNC server without a password because the local admin was too lazy to walk over to a terminal to type commands. However, by the same token. Windows, MacOS X, Linux, BSD, Solaris etc are all secure if run by an admin that knows what they are doing.
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
Security by obscurity is bad as a long term approach. However, it's not necessarilly a bad thing during the day/week/month it takes you to write and test the fix.
It would be a bad idea to protect your house by trying to keep the fact that your front door's lock is broken a secret. But, it also wouldn't be a good idea to put a giant sign out advertising that fact while you were waiting for the locksmith.
If it's not on fire, it's a software problem.
If an article is written that makes an assertion, and then completely fails to back up that assertion, then it is fairly likely that the article is not worth reading and is full of falsehoods.
Don't publicize such articles by posting them on Slashdot.
I find it humorous that it is stated Apple released 5 security patches for OS X, when in effect they released one security patch for different flavors of OS X. In all cases this is the same patch for 10.2, 10.3, and both server variants.
Considering Apple releases one security patch every month or two, I would hardly consider that as evidence of weak security policys.
How many different patches were released for XP within the last 6 months compared to Apple? I thought so...
And FWIW, The Sasser worm seems to ONLY exist because MS fixed an exploit in lsass then immediately documented exactly why it happened, where it happened, and basically how to exploit it.
I call bullshit, prove me wrong! How do you know that the person who created the worm didn't have access to this exploit before? Microsoft didn't find that exploit, a third party did, and without the source. What makes you think that only the third party and Microsoft knew about this.
There have been a great many bugs that I have seen personally, being exploited on IRC months before Microsoft fixed it. Besides even if the worm writer did find out throught he description, it doesn't mean that the descriptions should be removed! The descriptions are there for a reason, if a patch changed a bunch of stuff without saying what it was going to change, I'd be worried as a sysadmin as to whether i'd be able to recover something if it broke. If something goes wacky on a wireless card wpa fix, and your wireless card no longer works you can probably deduce that the patch probably broke your hardware by looking up the last few things that touched anything having ot do with wireless.
What's wrong with just saying, "We fixed an exploit discovered by someone at some company in this component of the operating system." ? Need bugfixes also give information on exactly how to reproduce the bug? Open the farthest right menu so it becomes sticky, move the mouse to the right of that menu in the menu bar (the menu will close), press the right arrow key on the keyboard.
Ah so you realize that most exploits or problems are actually discovered by a third party before Microsoft. Isn't that weird, considering that MS is the only one with the source?? That should be throwing up red flags to everyone, I mean most exploitable bugs are found by the maintainers of the packages in the open source world, the people who know the code most intimately. I wonder why the same doesn't hold true for Microsoft. Security through obscurity doesn't work, obviously. Why try to apply further obscurity by not providing relevant info to the sysadmins...
Can I get an eye poke?
Dog House Forum
Yes but you're not telling only the owners of the lockers, you're telling everyone walking by the gym too.
Security through obscurity is wrong and stupid, but so is security through full disclosure. I hate to say it; I love Free Software and I am happier trusting the security of my data to it than I would be trusting anything proprietary, especially Windows. But I can't buy the argument that telling the world about an exploit before anyone has had a chance to patch is a good thing.
I have no idea how to solve this, it's a fairly deep question, deeper than me just now with a bottle of wine in me.
Yours Sincerely, Michael.
Apple didn't develop the patch on one day. @stake and Eeye follow responsible disclosure policies. Apple has known about these problems for weeks, and the announcements were timed to follow the patches.
Apple is hiding the fact that this is a REMOTE ROOT exploit in Apple developed code. There have been issues before, but they have come from external projects, like OpenSSL and Apache. This is a huge deal, and if Microsoft understated the importance of a patch like this, Slashdotters would be all over them.
Microsoft's experience with this has made them too sensitive. Everything is "critical" now, which makes it hard for SysAdmins of hundreds of machines to tell the difference between "change window" critical and "shutdown the site and patch all night" critical.
I have to disagree with you on the "No bragging rights" point. A Mac only worm that spread around and nailed a few hundred thousand or so users, and even caused actual data loss would be a crushing blow to Apple... the writer of this would be quite infamous. Nobody cares when another Windows worm comes out, but if one comes out on the Macs, you'd better believe everyone who's ever said "Apple is dying!" is going to come crawling out of the woodwork and make sure it's never forgotten. Those of us in the know wouldn't be bothered much by it, but the FUD spread would be incredible.
-Don.
Cwm, fjord-bank glyphs vext quiz
Have you actually talked to some art students lately? Aside from people that are actually doing computer graphics work, their computer skills (in general) are pitiful. Having a Mac does not help this - in fact, it gives them even less incentive to actually learn how their computer works beyond "double-click the cute little icon to open IE/AIM/Photoshop/etc.".
This is a problem, why? They are learning art, not computer science. They are ARTISTS learning about how to create ART, using the computer as a tool (or perhaps toolbox). This art is not some excuse for these students to hone up on their computer skills and become some sort of pseudo computer geek that would appear to be more acceptable to you.
"Anyone that has ever gotten an idea based on any of my work and done something better with it-good for you."--J.Carmack
Apply Occam's Razor.
What is more likely - that somebody else (assuming the security firm that reported it didn't write Sasser) discovered the flaw, wrote an exploit, and released it within days of Microsoft's detailed report.
-or-
Somebody read the detailed report, wrote the exploit, and released it into the wild a few days after reading.
Hmm. I wonder. %)
# # #
That said...I second the idea that there's no good reason to essentially provide the blueprints of either fix or exploit to anybody but the reporting party.
I know there is some issue with "What if the company gets the report, but doesn't do anything with it ?" - in which case documenting the flaw may be the only way to 'force' a company to fix it. However, it may be more strategic to release bits of the flaw-documentation at a time, so that over time the likeliness of an exploit becomes higher - but only by those with enough knowledge, rather than every script-kiddie on the block. A company would likely (hopefully) provide a fix before a full disclosure of the flaw would be given, understanding that exploits will be released into the wild at some point.
Security through obscurity is wrong and stupid, but so is security through full disclosure. I hate to say it; I love Free Software and I am happier trusting the security of my data to it than I would be trusting anything proprietary, especially Windows. But I can't buy the argument that telling the world about an exploit before anyone has had a chance to patch is a good thing.
You're assuming
a) that the black-hat community does NOT disseminate vulnerabilities amongst themselves even before the white-hat community does
b) that patching is the only way to get rid of a vulnerability.
Case in point wrt b) the Sasser worm is effectively killed by switching on your friendly neighborhood firewall/IP filtering (which is built right in to the affected OSes). You don't even need to switch off a single service (though in many cases only a single service (or daemon) is affected).
SCO employee? Check out the bounty
The last line of the article is "Apple's half-hearted effort to [patch] these holes can be found here. While Secunia's full rundown on the problems can be found here."
The first link goes to a very complete page that details Apple's security updates back to Sept 2003. It looks fully-hearted to me. This page states "For the protection of our customers, Apple does not disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases are available." Sounds reasonable.The second link details a security notice that was released on May Fourth with some security issues. The fix is to dl the patch Apple released on the third.
Nothing to see here. This guy is taking a non-issue, spreading around some FUD and hoping that soemone will bite.
Funny, Microsoft gets attacked at slashdot for taking too long to patch an issue, and Apple gets a free pass for ignoring them?
Well, I dunno, I think it's less that than just that slashdot is naturally reactive. They aren't reacting to Apple at all. They're reacting to the article. And this article is very poorly written. It goes into basically nothing except Apple's presentation in the ASU dialog box of update descriptions, while failing to give any hard data or really any evidence whatsoever as far a whether Apple is taking any amount of time to patch security holes.
If this guy had actually gathered some sort of hard data that gave an indication of whether Apple actually was taking excessive amounts of time to patch security holes, or whether people weren't installing ASU updates, or Apple was trying actually to hush up security vulnerabilities, I think you'd see a very different reaction. There was one time that Apple took a little bit too long to be reasonable to fix a security hole and when the slashdot story on the subject came out they were rightfully bashed for it. However in the absense of any hard data we're left only with the ability to respond to the article, and well, look at the article.. about the only response possibly is "poorly formulated, poorly researched rant".
Perhaps a good way to test your theory would be to post to the slashdot front page a really *bad* article attacking Microsoft's security practices and see if people agree with it or if they go "wait, this doesn't make sense".
I'm actually a moderately well known individual in the security community, but I'm posting this anonymously because, well, the subject line (and, I suppose, Author field).
I've been an Apple user, off and on, since the IIgs days. There's always been a good amount of zealotry about the product line, but what can you say? The gear is pretty good, and has a good reputation. Unfortunately, no small amount of that reputation is maintained through absolutely vociferous defense of any arbitrary behavior.
I'm not just talking about buffer overflows. When Apple's DHCP implementation made it trivial for anyone on the LAN (even a coffee shop wireless network) to remotely take full control of the machine, the response was not one of confident correction but defensive redefinition -- "It's not a bug, it's a feature, you unintelligent carbon rod." And when Apple became the first operating system ever to be exploitable via its generic text forms -- the response really was yet another circle-the-wagons-and-apply-the-double-standard. And in case you don't believe me about the obsessive, O'Reillyian hijinks going on here -- look at the Boingboing response to what's just an open-and-shut data/executable confusion vulnerability. "OS9 is vulnerable too" is not a defense. "But you need to GET the file first" isn't a defense either -- that is , um, sort of the point of a Trojan horse. "An antivirus company came up with this" -- no way, you mean antivirus companies actually try to find security problems? This type of alternation between non-sequitor and ad-hominem is par for course. And don't say it's always this way -- there's no other operating system vendor who either themselves or through their users reacts to security risks like this. Not Microsoft, not the various Linux distributors (who really are getting hammered), not Sun or SGI, and certainly not Theo or his security-obsessed users. Everyone else seems to have realized it's safe to openly acknowledge and repair faults. Apple is the exception. "Like pulling teeth" comes to mind.
People, this is technology, not politics, and I don't even like this kind of behavior in politics. The more apologism there is for Apple failures -- and yes, even the eternally scrappy upstart from Cupertino can screw up, just look at your Powerbook monitors -- the less likely we are to actually see what ultimately we all want, which is correctly behaving technology.
That's all I have to say on this.
Security holes in any system will come out more quickly when more people use it. The fact that Apple can (usually) find and fix security holes before they are made publicly known might just stem from the fact that their user base is smaller than Microsoft's and therefore their security holes are more obscure (in terms of publicity, not coding content). The most used product will always have the most exposed flaws. Microsoft simply can't keep up with the number that are exposed; who's to say they same wouldn't be true if Apple was the industry standard? Immunity from errors of this kind can be found in open source type systems, but that's a whole other can of worms.
Perspective: people are surprised by all the security updates that Apple releases. Fact: By default, NONE of the exploitable holes are available by DEFAULT out of the box. There are ZERO services running, so no remote vulnerabilities. ...which is a ton more secure than a Windows PC out of the box (and some linux boxes). The only time the Mac OS X system can be compromised is if the exploitable services are turned on. Most of these are exploits to open-source software such as Apache, OpenSSL, CUPS. Recently, AFS was patched and that isn't even running when you turn on a Mac.
I think this sums up the arguement nicely.... so why were people still ranting about BS after 47Ronin posted it?
I'm not anti-microsoft. I'm anti-bullshit. Which means I'm anti-microsoft.
My point being that, first off Apple might want to be quiet about it because the majority isn't effected, and second the vunerabilities aren't nearly integral to the OS as most windows vulnerabilities are.
My apologies if this is redundant.
Instead of "claiming" that OS-X has a horrible security issue, with practically no proof to back that statement up, I'd really LOVE to see a OS-X worm. In-fact, I would put up some money to the author of such a worm. Because up to this point, there has still been 0 serious security problems in OS-X.
I do tech support all over So. CA, for mac and pc clients. And I have made 10x as much money from running to the PC client's LAN and ridding it of worms, spyware, and such, than to my Macintosh clients.
I've been using OS-X since the original OS-X Public Beta, and have proudly upgraded ever since to the latest version (10.3.3). I seriously laugh at anyone that attempts to dog on OS-X's security (well, lack-thereof). I am proud to be able to take my 12" Powerbook G4 anywhere, and fix/troubleshoot anyone's computer or network without worrying about getting a virus, or worm, or anything.
I easily backup friends and clients PC's through firewire and OS-X (w/ NTFS Addin for Pre OS-X 10.2) and reinstall their system in a heartbeat, without worrying about getting a boot virus, or prefetch virus (what a pain!) or a random piece of sh*t adware software.
I am proud to own a Mac. And yes... I really do LAUGH in the face of anyone attempting to put down the Mac, when their reasons are 99% crap. (unless of course they are talking about playing games!)
In conclusion, I really would love to see a "outbreak" of a virus for OS-X. This happens DAILY for Windows. This event might actually let some reporters report that OS-X isn't so secure. But... until that day my friends... read 'em and weep.
Viva la OS-X!
- Insolence (Mac User/Evangelist)
The most used product will always have the most exposed flaws.
Apache has demonstrated this is simply false.
Tweet, tweet.
Quietly, yes, very. Quickly? No.
If you call a fix for a good ol' buffer overflow a "patch to improve the handling of long passwords" you're being too quiet: people will not be properly motivated to install the patch.
And doing roll-up patches for old (sometimes very old) issues once a month only does not qualify as quick. Sorry.
I mean, look at this week's update, all of the issues patched were discovered in 2003.
Like some others here I am completely astonished that "security by obscurity" is suddenly a good thing when Apple does it. Come on folks, get a grip. Apple isn;t doing this right, don't close your eyes to that simple, obvious fact just because you like them.
2) Yes, in the past there have been a couple windows updates that were not up to par, but they have become much better. The last problem one I remember was about 2 years ago with an Exchange Update (not security related)
Can I just point out the latest issue with MS04-11 (the Sasser worm vuln fix) if you have the files ipsecw2k.sys, imcide.sys and dlttape.sys - (the last one being PRETTY common on corporate servers) instead of your machine rebooting all the time - it will just hang or fill up a CPU to 100%
Microsoft are now offering a hotfix to one of their patches! priceless!!
'By the pricking of my thumbs, something wicked this way comes'