Apple Uncommunicative About Security Holes
blackmonday writes "Kieren McCarthy of Techworld argues that Mac OS X is rife with security holes, and that Apple is doing a 'half-hearted' job of patching their operating system security holes, and has a 'strange habit of pretending a big problem is of no significance.' As a Mac user I find this an intriguing article in light of the Sasser Worm and its recent variants." Despite the article's assertions, no evidence of widespread security problems, or lack of effort to solve them, is offered. The only real question is Apple's lack of communication with the public in the nature of the problems.
-Less damage to the Apple brand
-Less desire for virus writers to write viruses for Macs -- if it's not widely covered in the media, then how do you know if your virus works? No bragging rights == no desire to make such viruses
-More security - if you don't publish holes but quietly fix them, then the chances of script kiddies (biggest cause for net viruses according to a study I read a while ago) exploiting such holes is much, much less.
Of course, it sucks from an end-user viewpoint, but *only* if such a virus actually infects your computer!
Condemnant quod non intellegunt.
This is written by a guy who either still writes for the Register, or used to do so. I don't think he's a Microsoft shill, but I think as a journalist he wants stuff to report about, and is probably irked Apple's not feeding him the dope. It's not by accident news is called dope by the press, you know; it's addictive, like food.
That being said, Apple seems pretty good at sending out frequent security updates when needed, and it's dead easy to keep a system patched. Until I see something escaping into the wild, I'm not going to be too concerned. But I will avoid tempting fate by keeping my system patched.
D
Does this guy even read the things he's linked to? Specifically the eEye Quicktime exploit page which mentions: "Vendor Status: Apple has released a patch for this vulnerability. The patch is available via the Updates section of the affected applications. This vulnerability has been assigned the CVE identifier CAN-2004-0431."
And on the AFP hole, Apple released a patch the same day they were told about the problem. Talk about turnaround time and microscopic exploit windows!
I think this guy just wants people to get riled up about Apple. All I've gotten pissed off about is him. Thanks a bunch, a**hole.
And FWIW, The Sasser worm seems to ONLY exist because MS fixed an exploit in lsass then immediately documented exactly why it happened, where it happened, and basically how to exploit it.
What's wrong with just saying, "We fixed an exploit discovered by someone at some company in this component of the operating system." ? Need bugfixes also give information on exactly how to reproduce the bug? Open the farthest right menu so it becomes sticky, move the mouse to the right of that menu in the menu bar (the menu will close), press the right arrow key on the keyboard.
Because we all know Security by Obscurity is the best approach. Funny, Microsoft gets attacked at slashdot for taking too long to patch an issue, and Apple gets a free pass for ignoring them?
No, that's NOT what is being discussed. Apple tends to patch very quickly and quite regularly. However, the information about exactly what is being patched is usually limited to the programs or processes being patched (Safari, Finder, etc.). The discussion is whether or not Apple should be communicating more completely the nature of the security problems it is fixing.
As a geek I'd like to know exactly what the problems were, but that's strictly to satisfy my idle curiosity. I have to admit that it may be better that the details aren't published. I can live without the details (i.e.: a buffer overflow in the XYZ module), but others may feel that the exact exploit *should* be announced. Since I don't have access to the rest of the code, I don't see any reason we should be given the details of a particular patch.
Anyway, the point is that it's not about Apple ignoring or responding to holes: it's Apple's publication of the nature of the holes that is at issue here.
Life is short: void the warranty.
Looking through Secunia's website - who I'd never heard of before reading this article HINT HINT - it appears as if Apple patched the very exploits the TechWorld article is harping on. This quote seems to have been blown way out of preportion by Kieren McCarthy:
He turned that quote into a slew of accusations about Apple being unresponsive over exploits and bugs. Man they're so unresponsive they provided me with a free security update not but a few days ago! Damn that Apple and their unresponsiveness! Maybe they'll release Quicktime 6.5.2 to unfix the problem they fixed of malformed Quicktime files crashing QT with the 6.5.1 update. I'm sure there are some real security exploits in OSX that are something to actually worry about. The ones outlined in this article...not so much.
I'm a loner Dottie, a Rebel.
While Apple seems to be patching fairly regularly, the last security update (the group of 4) was a little lacking in that it offered no explanations. Microsoft (which has gotten good at revealing weaknesses) at least gives a full technical explanation, often right down to the files affected. As I work in IT, I'm often left installing patches with Apple with no clue what they're doing under the hood (a bad situation to be in, but worse if we didn't patch at all). Fortunately, Mac users are a very small minority at my company. Also, the guys who's putting together some of the patches seem to be falling asleep at the wheel. The last Quicktime upgrade (33 MB) apparently include 18 MB of the Quicktime logo for each of language it supports: Not So Quickthinking on this page. That's just lazy work.
Despite the article's assertions, no evidence of widespread security problems, or lack of effort to solve them, is offered. The only real question is Apple's lack of communication with the public in the nature of the problems.
I bitch a lot about Slashdot for its biased summaries and viewpoints, but this time I have to applaud it for sounding rational. If only this sort of calm, rational perspective was applied to all the articles posted!
Just felt like pointing it out. Good job in this instance.
How about we start bashing you as making completely stupid and baseless claims... It took me a whole 10 seconds to find NUMEROUS Microsoft Kernel exploits. And this is only a partial list:
XP:
http://www.securityfocus.com/bid/9694
NT4/2000/XP:
http://www.securityfocus.com/bid/7370
http://www.securityfocus.com/bid/3478
http://www.securityfocus.com/bid/4426
2000:
http://www.securityfocus.com/bid/6766
http://www.securityfocus.com/bid/8081
NT4/2000:
http://www.securityfocus.com/bid/10117
http://www.securityfocus.com/bid/1745
http://www.securityfocus.com/bid/1743
Now, that's plenty of kernel exploits, which proves your claim was moronic in the first place. But I digress.
I should have included a ton more, by all means, because of the way Microsoft designed their kernel. Just about every major program, although not "the kernel" is tied into the kernel in such a way that they should be considered part of it. Just look at securityfocus and go through all the exploits where regular programs are exploited to overwrite kernel memory. Frankly, I'd say Internet Explorer might well be part of kernel.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
Apple doesn't ignore security holes, they fix them quickly and quietly before anybody realizes where they are. that's a BIG difference.
Not really. If they don't tell the end user that the patch is critical, the end user doesn't install it as quickly as if they had been informed.
When software update pops up and says there's 50 megs of crap to download and a reboot or two will be required, I definately think twice about it.
I don't think people on dial up ever patch.. because downloading the 100 megs of updates that both Jaguar, Panther, and XP require has got to be hell.
This is FUD. Apple doesn't owe it to their customers to explain security holes. Why would they weaken their position so? Just keep quiet about it and fix it. And most of the security flaws of late were in third party packages that Apple didn't write.
The article has a sensationalist headline and it says that the OS X security holes, which never made it beyond proof-of-concept, because they were patched quickly, are more dramatic than SASSER, which has cost millions of dollars and possibly a few lives by knocking out banks and other financial institutions and the British Coast Guard. Holes that were never exploited and that aren't even exposed OOTB are worse than SASSER? Doesn't this fact prove this to be an agenda-driven article?
If not, then consider that @Stake, one of the cited sources, is Microsoft-owned and notirious for self-aggrandizing FUD designed to promote their services.
The reminds me of the FUD about an MP3 "trojan horse" vulnerability, which was blown way out of proportion as well. Such a theoretical virus was billed as an OS X vulnerability when it would in fact work in Classic as well. They tried to make a big deal about the fact that it was no longer safe to just double click on some file you downloaded. When was it ever?
(%i1) factor(777353);
(%o1) 777353