Slashdot Mirror


Apple Uncommunicative About Security Holes

blackmonday writes "Kieren McCarthy of Techworld argues that Mac OS X is rife with security holes, and that Apple is doing a 'half-hearted' job of patching their operating system security holes, and has a 'strange habit of pretending a big problem is of no significance.' As a Mac user I find this an intriguing article in light of the Sasser Worm and its recent variants." Despite the article's assertions, no evidence of widespread security problems, or lack of effort to solve them, is offered. The only real question is Apple's lack of communication with the public in the nature of the problems.

13 of 573 comments (clear)

  1. Re:Reasons why... by Anonymous Coward · · Score: 5, Interesting
    If Apple has been uncommunicative about the presence (or absence) of any security holes, it is simply because they would rather not publicize the presence of particular holes.
    Because we all know Security by Obscurity is the best approach. Funny, Microsoft gets attacked at slashdot for taking too long to patch an issue, and Apple gets a free pass for ignoring them?
  2. Keeping quiet makes perfect sense to me! by Txiasaeia · · Score: 4, Interesting
    Think about it: if Apple keeps quiet about the massive and widespread effects of viruses on their OS, the benefits are:

    -Less damage to the Apple brand
    -Less desire for virus writers to write viruses for Macs -- if it's not widely covered in the media, then how do you know if your virus works? No bragging rights == no desire to make such viruses
    -More security - if you don't publish holes but quietly fix them, then the chances of script kiddies (biggest cause for net viruses according to a study I read a while ago) exploiting such holes is much, much less.

    Of course, it sucks from an end-user viewpoint, but *only* if such a virus actually infects your computer!

    --
    Condemnant quod non intellegunt.
    1. Re:Keeping quiet makes perfect sense to me! by neuroticia · · Score: 4, Interesting

      Benefits of letting your users know:

      1- They will be aware that their OS isn't perfect. Healthy paranoia is essential to running a system that is secure. If you're not healthily paranoid... "That update? I'll download it later. First I'm gonna download this latest and greatest 3D Game and give it a go."

      2- If they are aware that there is currently a vulnurability for... Safari, they have the option of using an alternative browser until the vulnurability is patched. Quicktime? They're aware there is a problem, and put off on downloading quicktime from unknown sources for a while. (Brittney Spears porn? That can wait until a patch is out!)

      Bottom line- If Apple DOES NOT let their users know about a vulnurability and nothing happens--no biggie. If Apple knows about a vulnurability and DOES NOT let its users know, and something does happen.. Boom, Apple's got a virus, or a remote root exploit, and everyone knows about it. If Apple says "We knew", then they're guilty of not informing their customers. If Apple says "We didn't know", then they're guilty of not knowing how to secure their OS, and not keeping on top of things.

      Apple's got a small marketshare that they're trying to increase, and they're trying to burst into a new market where people are still skeptical. Covert cloak and daggar "security by obscurity" is never a good thing, and in this market it will only alienate. It's MUCH better for Apple to say "We have a vulnurability... And three hours later we have a patch."

      -Sara

  3. Re:Reasons why... by daviddennis · · Score: 5, Interesting

    This is written by a guy who either still writes for the Register, or used to do so. I don't think he's a Microsoft shill, but I think as a journalist he wants stuff to report about, and is probably irked Apple's not feeding him the dope. It's not by accident news is called dope by the press, you know; it's addictive, like food.

    That being said, Apple seems pretty good at sending out frequent security updates when needed, and it's dead easy to keep a system patched. Until I see something escaping into the wild, I'm not going to be too concerned. But I will avoid tempting fate by keeping my system patched.

    D

  4. Wishing for a way to mod "journalists" as trolls.. by mike_lynn · · Score: 5, Interesting

    Does this guy even read the things he's linked to? Specifically the eEye Quicktime exploit page which mentions: "Vendor Status: Apple has released a patch for this vulnerability. The patch is available via the Updates section of the affected applications. This vulnerability has been assigned the CVE identifier CAN-2004-0431."

    And on the AFP hole, Apple released a patch the same day they were told about the problem. Talk about turnaround time and microscopic exploit windows!

    I think this guy just wants people to get riled up about Apple. All I've gotten pissed off about is him. Thanks a bunch, a**hole.

  5. Re:Reasons why... by Rosyna · · Score: 4, Interesting

    And FWIW, The Sasser worm seems to ONLY exist because MS fixed an exploit in lsass then immediately documented exactly why it happened, where it happened, and basically how to exploit it.

    What's wrong with just saying, "We fixed an exploit discovered by someone at some company in this component of the operating system." ? Need bugfixes also give information on exactly how to reproduce the bug? Open the farthest right menu so it becomes sticky, move the mouse to the right of that menu in the menu bar (the menu will close), press the right arrow key on the keyboard.

  6. Re:Reasons why... by gunnk · · Score: 5, Interesting

    Because we all know Security by Obscurity is the best approach. Funny, Microsoft gets attacked at slashdot for taking too long to patch an issue, and Apple gets a free pass for ignoring them?

    No, that's NOT what is being discussed. Apple tends to patch very quickly and quite regularly. However, the information about exactly what is being patched is usually limited to the programs or processes being patched (Safari, Finder, etc.). The discussion is whether or not Apple should be communicating more completely the nature of the security problems it is fixing.

    As a geek I'd like to know exactly what the problems were, but that's strictly to satisfy my idle curiosity. I have to admit that it may be better that the details aren't published. I can live without the details (i.e.: a buffer overflow in the XYZ module), but others may feel that the exact exploit *should* be announced. Since I don't have access to the rest of the code, I don't see any reason we should be given the details of a particular patch.

    Anyway, the point is that it's not about Apple ignoring or responding to holes: it's Apple's publication of the nature of the holes that is at issue here.

    --
    Life is short: void the warranty.
  7. Black Cadillacs by Graymalkin · · Score: 5, Interesting
    It is really nice of TechWorld to let companies write their "articles" for them. This article is complete and utter tripe. I think this is quite a bit worse than the expose from Intego and their inane little "trojan horse". None of the outlined exploits went unpatched for any significant period of time, I downloaded the security updates that cleared up the problems just last week in fact. They're also not the sort of exploits that make Sasser and Blaster look like little nips.

    Looking through Secunia's website - who I'd never heard of before reading this article HINT HINT - it appears as if Apple patched the very exploits the TechWorld article is harping on. This quote seems to have been blown way out of preportion by Kieren McCarthy:

    This conclusion is based on the fact that Apple merely describes vulnerability 3 as an attempt to "improve the handling of long passwords". However, according to @stake, the vulnerability can in fact be exploited to compromise a vulnerable system.


    He turned that quote into a slew of accusations about Apple being unresponsive over exploits and bugs. Man they're so unresponsive they provided me with a free security update not but a few days ago! Damn that Apple and their unresponsiveness! Maybe they'll release Quicktime 6.5.2 to unfix the problem they fixed of malformed Quicktime files crashing QT with the 6.5.1 update. I'm sure there are some real security exploits in OSX that are something to actually worry about. The ones outlined in this article...not so much.
    --
    I'm a loner Dottie, a Rebel.
  8. Apple isn't particularly good at the patching game by SilentChris · · Score: 4, Interesting

    While Apple seems to be patching fairly regularly, the last security update (the group of 4) was a little lacking in that it offered no explanations. Microsoft (which has gotten good at revealing weaknesses) at least gives a full technical explanation, often right down to the files affected. As I work in IT, I'm often left installing patches with Apple with no clue what they're doing under the hood (a bad situation to be in, but worse if we didn't patch at all). Fortunately, Mac users are a very small minority at my company. Also, the guys who's putting together some of the patches seem to be falling asleep at the wheel. The last Quicktime upgrade (33 MB) apparently include 18 MB of the Quicktime logo for each of language it supports: Not So Quickthinking on this page. That's just lazy work.

  9. Surprisingly unbiased article summary by bonch · · Score: 5, Interesting

    Despite the article's assertions, no evidence of widespread security problems, or lack of effort to solve them, is offered. The only real question is Apple's lack of communication with the public in the nature of the problems.

    I bitch a lot about Slashdot for its biased summaries and viewpoints, but this time I have to applaud it for sounding rational. If only this sort of calm, rational perspective was applied to all the articles posted!

    Just felt like pointing it out. Good job in this instance.

  10. Re:Where's the evidence??? by evilviper · · Score: 5, Interesting
    You can bash Microsoft's userland applications (RPC in particular!) as much as you want, but their kernel is extremely well-written.

    How about we start bashing you as making completely stupid and baseless claims... It took me a whole 10 seconds to find NUMEROUS Microsoft Kernel exploits. And this is only a partial list:

    XP:
    http://www.securityfocus.com/bid/9694

    NT4/2000/XP:
    http://www.securityfocus.com/bid/7370
    http://www.securityfocus.com/bid/3478
    http://www.securityfocus.com/bid/4426

    2000:
    http://www.securityfocus.com/bid/6766
    http://www.securityfocus.com/bid/8081

    NT4/2000:
    http://www.securityfocus.com/bid/10117
    http://www.securityfocus.com/bid/1745
    http://www.securityfocus.com/bid/1743

    Now, that's plenty of kernel exploits, which proves your claim was moronic in the first place. But I digress.

    I should have included a ton more, by all means, because of the way Microsoft designed their kernel. Just about every major program, although not "the kernel" is tied into the kernel in such a way that they should be considered part of it. Just look at securityfocus and go through all the exploits where regular programs are exploited to overwrite kernel memory. Frankly, I'd say Internet Explorer might well be part of kernel.
    --
    Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
  11. Re:Reasons why... by prockcore · · Score: 4, Interesting

    Apple doesn't ignore security holes, they fix them quickly and quietly before anybody realizes where they are. that's a BIG difference.

    Not really. If they don't tell the end user that the patch is critical, the end user doesn't install it as quickly as if they had been informed.

    When software update pops up and says there's 50 megs of crap to download and a reboot or two will be required, I definately think twice about it.

    I don't think people on dial up ever patch.. because downloading the 100 megs of updates that both Jaguar, Panther, and XP require has got to be hell.

  12. Nessus and nmap tell a much different story by mclaincausey · · Score: 5, Interesting
    OOTB, you will find OS X much more secure than the default configuration of almost any Windows or Linux boxen. If you further configure your OS X box to be a hair's breadth shy of paranoia, you will find that NO Windows box can even enter the conversation about security by comparison.

    This is FUD. Apple doesn't owe it to their customers to explain security holes. Why would they weaken their position so? Just keep quiet about it and fix it. And most of the security flaws of late were in third party packages that Apple didn't write.

    The article has a sensationalist headline and it says that the OS X security holes, which never made it beyond proof-of-concept, because they were patched quickly, are more dramatic than SASSER, which has cost millions of dollars and possibly a few lives by knocking out banks and other financial institutions and the British Coast Guard. Holes that were never exploited and that aren't even exposed OOTB are worse than SASSER? Doesn't this fact prove this to be an agenda-driven article?

    If not, then consider that @Stake, one of the cited sources, is Microsoft-owned and notirious for self-aggrandizing FUD designed to promote their services.

    The reminds me of the FUD about an MP3 "trojan horse" vulnerability, which was blown way out of proportion as well. Such a theoretical virus was billed as an OS X vulnerability when it would in fact work in Classic as well. They tried to make a big deal about the fact that it was no longer safe to just double click on some file you downloaded. When was it ever?

    --
    (%i1) factor(777353);
    (%o1) 777353