Slashdot Mirror


Apple Uncommunicative About Security Holes

blackmonday writes "Kieren McCarthy of Techworld argues that Mac OS X is rife with security holes, and that Apple is doing a 'half-hearted' job of patching their operating system security holes, and has a 'strange habit of pretending a big problem is of no significance.' As a Mac user I find this an intriguing article in light of the Sasser Worm and its recent variants." Despite the article's assertions, no evidence of widespread security problems, or lack of effort to solve them, is offered. The only real question is Apple's lack of communication with the public in the nature of the problems.

12 of 573 comments (clear)

  1. Poorly thought out, badly written sensationalism. by Raindance · · Score: 5, Insightful

    I won't say that maybe Apple isn't doing all it could on security holes- I will mention that I've never heard of a mac worm, a root exploit that's actually been carried out against a mac, and so forth. But maybe there's some sort of story about Apple being a little behind on patches occasionally.

    However, with all due respect to Techworld and the author, this is really a pathetic attempt at a story. Biases half-truths, no principle of charity (regardless of Apple's good record of *actual* security exploits- not the whole story, but a major part of it) with a comparison to Windows security where somehow Microsoft comes out on top, no hard figures, a poor understanding of security as a whole, and, though it may be a low blow, not very good prose (it seems rushed- i.e. one statement is "Apple's half-hearted effort to these holes can be found here." There's really no proof (hard or soft) for any of the assertions in the article.

    In conclusion, there's really really nothing to see here.

    RD

  2. Biggest bunch of bull ever by falcon5768 · · Score: 5, Insightful
    The fact that they call this currrent windows worm not a major threat tells you where their mind is and whos paying their pockets.

    I am getting sick and tired of so called "Tech Security" companies who create FUD just to sell their products.

    --

    "Slashdot, where telling the truth is overrated but lying is insightful."

  3. Re:security holes on a BSD-based system??? by Kenja · · Score: 5, Insightful
    "Gee, and after all we've been told about Windows being the only insecure platform.... who'da thunk it?"

    Windows is insecure. So is MacOS X, Linux, BSD, Solaris etc if run by an incompetent admin. One system I had to fix was a hardened install of Solaris that was running VNC server without a password because the local admin was too lazy to walk over to a terminal to type commands. However, by the same token. Windows, MacOS X, Linux, BSD, Solaris etc are all secure if run by an admin that knows what they are doing.

    --

    "Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
  4. Re:Wow, this is pointless by HeghmoH · · Score: 5, Insightful

    And then they mention a hole in Apache? WTF? Not Apple's problem.

    It becomes Apple's problem when they ship a copy of Apache with every copy of their OS. It may not be their fault, but it's certainly their problem.

    --
    Mod down posts with a "Free Mac Mini/iPod" sig, they're spam!
  5. Re:Where's the evidence??? by lakeesis · · Score: 5, Insightful

    I think it's even more disturbing that the author doesn't seem to have a problem with the use of only one source to back up what is a pretty wide-ranging assertion --> security company A says that apple has big flaws, so apple must have BIG FLAWS! OMG! The sky is falling!! -- instead of relying on a collection of different security company opinions to base her assertions.

    Stepping back from the apple/*nix/Windows flame wars, the article itself seems subject to the very thing it attempts to criticize - a lack of any sort of depth of information.

    --

    If we do not do what we must do, what we must do does not get done.

    --
    sig: I'm not at home, or busy. please leave new sig after the tone.
  6. Re:Reasons why... by DA-MAN · · Score: 5, Insightful

    And FWIW, The Sasser worm seems to ONLY exist because MS fixed an exploit in lsass then immediately documented exactly why it happened, where it happened, and basically how to exploit it.

    I call bullshit, prove me wrong! How do you know that the person who created the worm didn't have access to this exploit before? Microsoft didn't find that exploit, a third party did, and without the source. What makes you think that only the third party and Microsoft knew about this.

    There have been a great many bugs that I have seen personally, being exploited on IRC months before Microsoft fixed it. Besides even if the worm writer did find out throught he description, it doesn't mean that the descriptions should be removed! The descriptions are there for a reason, if a patch changed a bunch of stuff without saying what it was going to change, I'd be worried as a sysadmin as to whether i'd be able to recover something if it broke. If something goes wacky on a wireless card wpa fix, and your wireless card no longer works you can probably deduce that the patch probably broke your hardware by looking up the last few things that touched anything having ot do with wireless.

    What's wrong with just saying, "We fixed an exploit discovered by someone at some company in this component of the operating system." ? Need bugfixes also give information on exactly how to reproduce the bug? Open the farthest right menu so it becomes sticky, move the mouse to the right of that menu in the menu bar (the menu will close), press the right arrow key on the keyboard.

    Ah so you realize that most exploits or problems are actually discovered by a third party before Microsoft. Isn't that weird, considering that MS is the only one with the source?? That should be throwing up red flags to everyone, I mean most exploitable bugs are found by the maintainers of the packages in the open source world, the people who know the code most intimately. I wonder why the same doesn't hold true for Microsoft. Security through obscurity doesn't work, obviously. Why try to apply further obscurity by not providing relevant info to the sysadmins...

    --
    Can I get an eye poke?
    Dog House Forum
  7. Re:Wishing for a way to mod "journalists" as troll by CalTrumpet · · Score: 5, Insightful

    Apple didn't develop the patch on one day. @stake and Eeye follow responsible disclosure policies. Apple has known about these problems for weeks, and the announcements were timed to follow the patches.

    Apple is hiding the fact that this is a REMOTE ROOT exploit in Apple developed code. There have been issues before, but they have come from external projects, like OpenSSL and Apache. This is a huge deal, and if Microsoft understated the importance of a patch like this, Slashdotters would be all over them.

    Microsoft's experience with this has made them too sensitive. Everything is "critical" now, which makes it hard for SysAdmins of hundreds of machines to tell the difference between "change window" critical and "shutdown the site and patch all night" critical.

  8. Nah, just a bad article by Anonymous Coward · · Score: 5, Insightful

    Funny, Microsoft gets attacked at slashdot for taking too long to patch an issue, and Apple gets a free pass for ignoring them?

    Well, I dunno, I think it's less that than just that slashdot is naturally reactive. They aren't reacting to Apple at all. They're reacting to the article. And this article is very poorly written. It goes into basically nothing except Apple's presentation in the ASU dialog box of update descriptions, while failing to give any hard data or really any evidence whatsoever as far a whether Apple is taking any amount of time to patch security holes.

    If this guy had actually gathered some sort of hard data that gave an indication of whether Apple actually was taking excessive amounts of time to patch security holes, or whether people weren't installing ASU updates, or Apple was trying actually to hush up security vulnerabilities, I think you'd see a very different reaction. There was one time that Apple took a little bit too long to be reasonable to fix a security hole and when the slashdot story on the subject came out they were rightfully bashed for it. However in the absense of any hard data we're left only with the ability to respond to the article, and well, look at the article.. about the only response possibly is "poorly formulated, poorly researched rant".

    Perhaps a good way to test your theory would be to post to the slashdot front page a really *bad* article attacking Microsoft's security practices and see if people agree with it or if they go "wait, this doesn't make sense".

  9. Re:Reasons why... by abscondment · · Score: 5, Insightful

    Security holes in any system will come out more quickly when more people use it. The fact that Apple can (usually) find and fix security holes before they are made publicly known might just stem from the fact that their user base is smaller than Microsoft's and therefore their security holes are more obscure (in terms of publicity, not coding content). The most used product will always have the most exposed flaws. Microsoft simply can't keep up with the number that are exposed; who's to say they same wouldn't be true if Apple was the industry standard? Immunity from errors of this kind can be found in open source type systems, but that's a whole other can of worms.

  10. Less used features vs. Core problems by Schapht · · Score: 5, Insightful
    It seems to me that all these holes are in systems that the average OS X user wouldn't use very often if at all. I'm a developer using Mac OS X, and I'm not even effected by most of these.
    1. as far as I can tell, OS X uses Apache 1, not 2
    2. I don't use IPSec, but some people might. I would bet the percentage is small
    3. Most people use Samba anymore because it's not as proprietary as AFS
    4. most users don't allow remote logins (escalation wouldn't be a problem)
    5. not sure about RAdmin


    My point being that, first off Apple might want to be quiet about it because the majority isn't effected, and second the vunerabilities aren't nearly integral to the OS as most windows vulnerabilities are.

    My apologies if this is redundant.
  11. Can you say Apache? by weston · · Score: 5, Insightful

    The most used product will always have the most exposed flaws.

    Apache has demonstrated this is simply false.

  12. Re:update mechanisms by Gumph · · Score: 5, Insightful

    2) Yes, in the past there have been a couple windows updates that were not up to par, but they have become much better. The last problem one I remember was about 2 years ago with an Exchange Update (not security related)

    Can I just point out the latest issue with MS04-11 (the Sasser worm vuln fix) if you have the files ipsecw2k.sys, imcide.sys and dlttape.sys - (the last one being PRETTY common on corporate servers) instead of your machine rebooting all the time - it will just hang or fill up a CPU to 100%
    Microsoft are now offering a hotfix to one of their patches! priceless!!

    --
    'By the pricking of my thumbs, something wicked this way comes'