Apple Uncommunicative About Security Holes
blackmonday writes "Kieren McCarthy of Techworld argues that Mac OS X is rife with security holes, and that Apple is doing a 'half-hearted' job of patching their operating system security holes, and has a 'strange habit of pretending a big problem is of no significance.' As a Mac user I find this an intriguing article in light of the Sasser Worm and its recent variants." Despite the article's assertions, no evidence of widespread security problems, or lack of effort to solve them, is offered. The only real question is Apple's lack of communication with the public in the nature of the problems.
-Less damage to the Apple brand
-Less desire for virus writers to write viruses for Macs -- if it's not widely covered in the media, then how do you know if your virus works? No bragging rights == no desire to make such viruses
-More security - if you don't publish holes but quietly fix them, then the chances of script kiddies (biggest cause for net viruses according to a study I read a while ago) exploiting such holes is much, much less.
Of course, it sucks from an end-user viewpoint, but *only* if such a virus actually infects your computer!
Condemnant quod non intellegunt.
This is written by a guy who either still writes for the Register, or used to do so. I don't think he's a Microsoft shill, but I think as a journalist he wants stuff to report about, and is probably irked Apple's not feeding him the dope. It's not by accident news is called dope by the press, you know; it's addictive, like food.
That being said, Apple seems pretty good at sending out frequent security updates when needed, and it's dead easy to keep a system patched. Until I see something escaping into the wild, I'm not going to be too concerned. But I will avoid tempting fate by keeping my system patched.
D
So, Apple is half-hearted about security vulnerabilities because they released a bunch of patches? I fail to see how this is in any way a bad thing. Releasing information about exploits in a closed-source system is kinda stupid. At least Apple is patching these things before they become a problem.
/tmp, ~, and anywhere else the user decides to place low restrictions for themselves (say, for me, my /filez partition).
On the most part though, it's a lot easier to administrate a *nix system and keep it secure than it is to do so with a Windows system. It all, for me, comes down to the root/user system. You have a root that you don't use normal stuff for, and so therefore it's a lot more difficult to place undetectable things on a computer on the basis that the only places someone with user access to your comp has is in user-defined places. Namely,
As much as people want to bitch about how "insecure" *nix systems are, frankly, they're just better designed from a coding perspective than Windows. Windows seems to have been spending a lot of its time playing catchup with features, and now they're feeling the brunt of not practicing efficient coding, and the result is going to be Longhorn (supposedly... I don't know how many times I've heard the "The Next Windows is going to be better" argument... pretty much since 3.1), which is, in effect, a major overhaul and an attempt to make Microsoft's Station Wagons a bit more like BeOS' Batmobiles.... but it seems like it's more likely to become a 12-cylander Viper with the amount of resources they're claiming it's going to need to consume.
I'm happy with my fuel efficient tank that'll work on any road, thank you very much.
(Apologies to Neal Stephenson for borrowing the metaphor)
Karma: Non-Heinous
Does this guy even read the things he's linked to? Specifically the eEye Quicktime exploit page which mentions: "Vendor Status: Apple has released a patch for this vulnerability. The patch is available via the Updates section of the affected applications. This vulnerability has been assigned the CVE identifier CAN-2004-0431."
And on the AFP hole, Apple released a patch the same day they were told about the problem. Talk about turnaround time and microscopic exploit windows!
I think this guy just wants people to get riled up about Apple. All I've gotten pissed off about is him. Thanks a bunch, a**hole.
And FWIW, The Sasser worm seems to ONLY exist because MS fixed an exploit in lsass then immediately documented exactly why it happened, where it happened, and basically how to exploit it.
What's wrong with just saying, "We fixed an exploit discovered by someone at some company in this component of the operating system." ? Need bugfixes also give information on exactly how to reproduce the bug? Open the farthest right menu so it becomes sticky, move the mouse to the right of that menu in the menu bar (the menu will close), press the right arrow key on the keyboard.
Because we all know Security by Obscurity is the best approach. Funny, Microsoft gets attacked at slashdot for taking too long to patch an issue, and Apple gets a free pass for ignoring them?
No, that's NOT what is being discussed. Apple tends to patch very quickly and quite regularly. However, the information about exactly what is being patched is usually limited to the programs or processes being patched (Safari, Finder, etc.). The discussion is whether or not Apple should be communicating more completely the nature of the security problems it is fixing.
As a geek I'd like to know exactly what the problems were, but that's strictly to satisfy my idle curiosity. I have to admit that it may be better that the details aren't published. I can live without the details (i.e.: a buffer overflow in the XYZ module), but others may feel that the exact exploit *should* be announced. Since I don't have access to the rest of the code, I don't see any reason we should be given the details of a particular patch.
Anyway, the point is that it's not about Apple ignoring or responding to holes: it's Apple's publication of the nature of the holes that is at issue here.
Life is short: void the warranty.
Looking through Secunia's website - who I'd never heard of before reading this article HINT HINT - it appears as if Apple patched the very exploits the TechWorld article is harping on. This quote seems to have been blown way out of preportion by Kieren McCarthy:
He turned that quote into a slew of accusations about Apple being unresponsive over exploits and bugs. Man they're so unresponsive they provided me with a free security update not but a few days ago! Damn that Apple and their unresponsiveness! Maybe they'll release Quicktime 6.5.2 to unfix the problem they fixed of malformed Quicktime files crashing QT with the 6.5.1 update. I'm sure there are some real security exploits in OSX that are something to actually worry about. The ones outlined in this article...not so much.
I'm a loner Dottie, a Rebel.
There's absolutely nothing wrong with the approach you suggest, and I would also advocate it.
But there's no point pretending that because you've kept it a secret, no-one's going to find out.
So you have to be prepared for the worst, even if you don't ask for it.
Yours Sincerely, Michael.
While Apple seems to be patching fairly regularly, the last security update (the group of 4) was a little lacking in that it offered no explanations. Microsoft (which has gotten good at revealing weaknesses) at least gives a full technical explanation, often right down to the files affected. As I work in IT, I'm often left installing patches with Apple with no clue what they're doing under the hood (a bad situation to be in, but worse if we didn't patch at all). Fortunately, Mac users are a very small minority at my company. Also, the guys who's putting together some of the patches seem to be falling asleep at the wheel. The last Quicktime upgrade (33 MB) apparently include 18 MB of the Quicktime logo for each of language it supports: Not So Quickthinking on this page. That's just lazy work.
What I have always wondered is if there are groups of people who actively try to write viruses for OS X. I would imagine that there has to be at least one person who has tried to do so, even if it is just as a proof of concept and not intended to be released in the wild. At least the idea of being the first person to write a majorly destructive virus for OS X must be appealing to the type of person that creates Windows viruses for fame. I think that answers to questions like these are important because it relates to how we view the security of the system. Along the lines you mentioned, how can people say that OS X has very tight security if it has never been put to the test in the wild? That is like saying my home is ultra secure because it has never been broken into, when, in reality, I leave my doors unlocked and all my windows open.
SIGFAULT
I'd agree with you for any issue that you can have some control over before the patch becomes available. What I mean is that if you can work around the hole by turning off a certain service or blocking a specific range of ports, then certainly everyone should be made aware of this.
If it's not on fire, it's a software problem.
Despite the article's assertions, no evidence of widespread security problems, or lack of effort to solve them, is offered. The only real question is Apple's lack of communication with the public in the nature of the problems.
I bitch a lot about Slashdot for its biased summaries and viewpoints, but this time I have to applaud it for sounding rational. If only this sort of calm, rational perspective was applied to all the articles posted!
Just felt like pointing it out. Good job in this instance.
How about we start bashing you as making completely stupid and baseless claims... It took me a whole 10 seconds to find NUMEROUS Microsoft Kernel exploits. And this is only a partial list:
XP:
http://www.securityfocus.com/bid/9694
NT4/2000/XP:
http://www.securityfocus.com/bid/7370
http://www.securityfocus.com/bid/3478
http://www.securityfocus.com/bid/4426
2000:
http://www.securityfocus.com/bid/6766
http://www.securityfocus.com/bid/8081
NT4/2000:
http://www.securityfocus.com/bid/10117
http://www.securityfocus.com/bid/1745
http://www.securityfocus.com/bid/1743
Now, that's plenty of kernel exploits, which proves your claim was moronic in the first place. But I digress.
I should have included a ton more, by all means, because of the way Microsoft designed their kernel. Just about every major program, although not "the kernel" is tied into the kernel in such a way that they should be considered part of it. Just look at securityfocus and go through all the exploits where regular programs are exploited to overwrite kernel memory. Frankly, I'd say Internet Explorer might well be part of kernel.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
That being said, Apple seems pretty good at sending out frequent security updates when needed, and it's dead easy to keep a system patched. Until I see something escaping into the wild, I'm not going to be too concerned. But I will avoid tempting fate by keeping my system patched.
When it comes to security holes... publicity is a very bad thing. When a security hole is reported accross the mass media, it sends a wake-up call to hackers. When the patch to fix that security hole is released, it sends another wake-up call.
By underplaying the importance, and quietly fixing the problem... Apple's trying to say "Please, don't notice that." No, they can't exactly muzzle the press from talking about the hole, but by not answering media questions and by not making loud announcements when they patch holes, they end up making the life of a the media a lot harder... and that just means sometimes the story won't get written. And Apple likes when that happens.
There's a two-pronged reason for being happy. Of course, Apple's marketing people are happy that their reputation isn't damaged when there's less bad media reports... but also, hackers going after Apple end up getting less information. Afterall, loud mass-media mentions of a hole reveals information to everyone, but the enemy is a subset of everyone, and giving information to the enemy is rarely a good thing.
Apple doesn't ignore security holes, they fix them quickly and quietly before anybody realizes where they are. that's a BIG difference.
Not really. If they don't tell the end user that the patch is critical, the end user doesn't install it as quickly as if they had been informed.
When software update pops up and says there's 50 megs of crap to download and a reboot or two will be required, I definately think twice about it.
I don't think people on dial up ever patch.. because downloading the 100 megs of updates that both Jaguar, Panther, and XP require has got to be hell.
This is FUD. Apple doesn't owe it to their customers to explain security holes. Why would they weaken their position so? Just keep quiet about it and fix it. And most of the security flaws of late were in third party packages that Apple didn't write.
The article has a sensationalist headline and it says that the OS X security holes, which never made it beyond proof-of-concept, because they were patched quickly, are more dramatic than SASSER, which has cost millions of dollars and possibly a few lives by knocking out banks and other financial institutions and the British Coast Guard. Holes that were never exploited and that aren't even exposed OOTB are worse than SASSER? Doesn't this fact prove this to be an agenda-driven article?
If not, then consider that @Stake, one of the cited sources, is Microsoft-owned and notirious for self-aggrandizing FUD designed to promote their services.
The reminds me of the FUD about an MP3 "trojan horse" vulnerability, which was blown way out of proportion as well. Such a theoretical virus was billed as an OS X vulnerability when it would in fact work in Classic as well. They tried to make a big deal about the fact that it was no longer safe to just double click on some file you downloaded. When was it ever?
(%i1) factor(777353);
(%o1) 777353
So......
Apple and Microsoft are both big corp. entities;
as such the downplaying of security issues would be expected.
This strongly biased end user and multi platform support professional would like ad his 10 cents worth.
1. Apple and Microsoft both have services with discovered and
yet undiscovered flaws.
2. Apple and Microsoft both release security patches to address those flaws typically when *discovered*.
3. Apple tends to patch these flaws *before* they become a
problem for the end user base, discovery is typically done by the open source community on which many of these flaws were inherited.
4. Microsoft tends to patch these flaws after the end user base
has brought the problems to their attention, discovery is typically done by the end user base under extremely painful conditions.
5. Apple and Microsoft both have mechinisms for priv. separation, both suggest using them, only one really practices this at installation time (you guess).
6. Apple tends to use defaults that reduce system risk while increasing end user ease of use (sometimes this leads to potential damage).
7. Microsoft tends to use defaults that are historical in nature
while increasing system ease of use (scripting host, macros, com and wins?) but also tend to expose the end user in methods not easily understood by that end user.
Where am I going with this? this article is obviously a troll.
When asked about platform preference I suggest using the tool that is right at the time and place of need.
i.e. no money? linux and x86
i.e. money? modern mac hardware and OS X
i.e. you paying my bills? Solaris/Sparc Windows/X86
again, biased but hey!
Unix, an obscure operating system developed by bored researchers in an attempt to get a better game playing experience.
The number of vulnerable machines strongly affects the time it takes for a worm to spread.
Consider the extreme cases:
If there are two vulnerable machines, and the first one is infected by hand, it will take on average 2^32/2 or about 2 billion tries to find the other one.
If every IP address has a different infectable machine behind it, the work gets parallelized and a sufficently smart worm could infect every machine in the time it takes to do 32 infections. Even a less clever worm that probes randomly (thus duplicating a lot of effort) would infect nearly every machine after a few hundred infection-cycles.
They may release the patch... but what if your computer is rendered useless by applying it?
What the hell is this, and idiot convention???
First off, I listed FOUR, count 'em, 4 exploits that affect XP. Second, I clearly said, in no uncertain terms, that this was a quickly-compiled, partial list. I listed less than half the Microsoft kernel exploits my quick search found.
How about the 'Client Server Run-time Subsystem'? How about Netbios? How about the Virtual DOS Machine (VDM)?
Windows doesn't just have the basic drivers in it's kernel, it has a lot more complicated cruft in there too.
Of course not, I was being facetious.
The program iexplore.exe is run in userspace, but the majority of the functions of the browser are not in the program, but in the OS itself. It is certainly not a solely user-space program.
Statistically true, but completely irrelivant. If programs like OpenSSH were made far less securely, Unix systems would have a far lower percentage of kernel flaws. The fact that Windows system security is crap should not be used to disregard the Windows Kernel problems, after all, it's the kernel that this thread is all about.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant