Slashdot Mirror
Apple Uncommunicative About Security Holes
blackmonday writes "Kieren McCarthy of Techworld argues that Mac OS X is rife with security holes, and that Apple is doing a 'half-hearted' job of patching their operating system security holes, and has a 'strange habit of pretending a big problem is of no significance.' As a Mac user I find this an intriguing article in light of the Sasser Worm and its recent variants." Despite the article's assertions, no evidence of widespread security problems, or lack of effort to solve them, is offered. The only real question is Apple's lack of communication with the public in the nature of the problems.
Well, let's see: If Apple has been uncommunicative about the presence (or absence) of any security holes, it is simply because they would rather not publicize the presence of particular holes. It's good policy for their OS while also maintaining an open source presence with Darwin that allows for public scrutiny. It should also be noted that Apple is also working towards approval of certain security ratings from assorted groups and governmental agencies, but they are not publicizing that either. They would rather maintain a low profile and have good reasons for doing so. After all, the core of OS X, the NeXT OS has a long history of a presence in intelligence and security circles (NSA, CIA, FBI etc...).
I read the linked article and was absolutely stunned at how superficial the evidence was given the claims being made. If one is going to make such statements, one would think there would be a little more substance, but hey the article certainly has garnered some attention, so perhaps that was the sole goal of the author? Or if one were likely to believe in conspiracies, one might guess that the author was put up to writing the article by a potential competitor? In science, we have to publish "disclosures" that establish corporate or political linkages. Perhaps it is time for the news media to do the same?
Visit Jonesblog and say hello.
The whole thrust of the article seems to be "There might be dozens of holes in OSX, how do we know?". Seems making an argument like that, they shouldn't be comparing it to another proprietary system like Windows but instead Linux or *BSD. And then they mention a hole in Apache? WTF? Not Apple's problem.
-Less damage to the Apple brand
-Less desire for virus writers to write viruses for Macs -- if it's not widely covered in the media, then how do you know if your virus works? No bragging rights == no desire to make such viruses
-More security - if you don't publish holes but quietly fix them, then the chances of script kiddies (biggest cause for net viruses according to a study I read a while ago) exploiting such holes is much, much less.
Of course, it sucks from an end-user viewpoint, but *only* if such a virus actually infects your computer!
Condemnant quod non intellegunt.
What people fail to realize is that there are literally hundreds, if not thousands, of people own Macs and many of them are now connected to the Internet.
Imagine the havoc an OSX based worm would wreak at an art school or a large interior design firm. This kind of stuff needs to be taken more seriously by Apple.
I won't say that maybe Apple isn't doing all it could on security holes- I will mention that I've never heard of a mac worm, a root exploit that's actually been carried out against a mac, and so forth. But maybe there's some sort of story about Apple being a little behind on patches occasionally.
However, with all due respect to Techworld and the author, this is really a pathetic attempt at a story. Biases half-truths, no principle of charity (regardless of Apple's good record of *actual* security exploits- not the whole story, but a major part of it) with a comparison to Windows security where somehow Microsoft comes out on top, no hard figures, a poor understanding of security as a whole, and, though it may be a low blow, not very good prose (it seems rushed- i.e. one statement is "Apple's half-hearted effort to these holes can be found here." There's really no proof (hard or soft) for any of the assertions in the article.
In conclusion, there's really really nothing to see here.
RD
Yes, security through obscurity. A well thought out and totally effective strategy.
Not.
I am getting sick and tired of so called "Tech Security" companies who create FUD just to sell their products.
"Slashdot, where telling the truth is overrated but lying is insightful."
I read the article - I can't believe that the editors (are there any?) let this article see the light of day. Sure, there are security holes in Mac OS. It's a given that any OS has some kind of bug or flaw that, when properly exploited, will cause a DOS, crash or improper security. But this author is speculating (or, using speculation as source material).
Any OS based on a solid Unix core (Darwin, Linux, AIX) is going to be much more secure than any Windows kernel - at least at this point. It remains to be seen if Microsoft can build a reliable, secure kernel.Oh, and by the way, how many flaws, and how bad are they, are in Linux and Mac OS compared to windows? Having administered global networks of >1000 Windows workstations and servers, I'll take a similarly sized Linux network ANY day, if security is paramount.
Windows is insecure. So is MacOS X, Linux, BSD, Solaris etc if run by an incompetent admin. One system I had to fix was a hardened install of Solaris that was running VNC server without a password because the local admin was too lazy to walk over to a terminal to type commands. However, by the same token. Windows, MacOS X, Linux, BSD, Solaris etc are all secure if run by an admin that knows what they are doing.
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
So, Apple is half-hearted about security vulnerabilities because they released a bunch of patches? I fail to see how this is in any way a bad thing. Releasing information about exploits in a closed-source system is kinda stupid. At least Apple is patching these things before they become a problem.
/tmp, ~, and anywhere else the user decides to place low restrictions for themselves (say, for me, my /filez partition).
On the most part though, it's a lot easier to administrate a *nix system and keep it secure than it is to do so with a Windows system. It all, for me, comes down to the root/user system. You have a root that you don't use normal stuff for, and so therefore it's a lot more difficult to place undetectable things on a computer on the basis that the only places someone with user access to your comp has is in user-defined places. Namely,
As much as people want to bitch about how "insecure" *nix systems are, frankly, they're just better designed from a coding perspective than Windows. Windows seems to have been spending a lot of its time playing catchup with features, and now they're feeling the brunt of not practicing efficient coding, and the result is going to be Longhorn (supposedly... I don't know how many times I've heard the "The Next Windows is going to be better" argument... pretty much since 3.1), which is, in effect, a major overhaul and an attempt to make Microsoft's Station Wagons a bit more like BeOS' Batmobiles.... but it seems like it's more likely to become a 12-cylander Viper with the amount of resources they're claiming it's going to need to consume.
I'm happy with my fuel efficient tank that'll work on any road, thank you very much.
(Apologies to Neal Stephenson for borrowing the metaphor)
Karma: Non-Heinous
Microsofts policy is the holes dont exist, Apples is they exist and when we find them we fix them.
"Slashdot, where telling the truth is overrated but lying is insightful."
As long as there are operating systems and, likewise, semi-to-fully intelligent people who look them over..there will always be, in some form,..."holes". Any system must be absolutely isolated from any outside sources of activity to even be viewed as semi-secure. My PC with my own OS in the middle of my padded room connected to nothing but cables to my inverter may be secure...but the fella drooling in the corner has given me some reason for concern....
Does this guy even read the things he's linked to? Specifically the eEye Quicktime exploit page which mentions: "Vendor Status: Apple has released a patch for this vulnerability. The patch is available via the Updates section of the affected applications. This vulnerability has been assigned the CVE identifier CAN-2004-0431."
And on the AFP hole, Apple released a patch the same day they were told about the problem. Talk about turnaround time and microscopic exploit windows!
I think this guy just wants people to get riled up about Apple. All I've gotten pissed off about is him. Thanks a bunch, a**hole.
Wayne's World, Wayne's World, party time, excellent!
p.s. find a new method of sarcasm!
...an "Apple", with "holes" in it, which could be exploited by "Worms"...
Well, I thought it was funny, at least.
A comment in response to the Scobleizer blog said it best:
Not only does the article offer only very little in the way of evidence, but the whole point of the article appears moot. My favorite quote at http://secunia.com/advisories/11539 (linked from the article):
"Solution:
Apply Security Update 2004-05-03."
(The article is dated "04 May 2004")
Yes, security through obscurity. A well thought out and totally effective strategy.
Not
And I 'not' your 'not'. Patching a hole quietly is not security through obscurity.
Why should Apple take exploits in OS X seriously? Isn't it true that vulnerabilities are never exploited until a patch is available?
MacBook Pro. Worst name since the Bicycle
Name me one software company that goes out of their way to advertise or publicize their security problems. Microsoft certainly doesn't.
.. and users too, I guess), and MS has made it plain they won't fix these problems unless there is bad publicity.
The holes are generally publicized by outside parties (like @stake and Secunia in this article) who somehow make their living finding these problems (1. find bugs 2. ??? 3. profit!)
We hear about MS's bugs so much because they affect so many people, there are so many of them (bugs
A colleague submitted a bunch of local exploit reports to Apple months ago with no reasonable response. I certainly don't read mail on my iBook.
Slashdot: Where nerds gather to pool their ignorance
If an article is written that makes an assertion, and then completely fails to back up that assertion, then it is fairly likely that the article is not worth reading and is full of falsehoods.
Don't publicize such articles by posting them on Slashdot.
I find it humorous that it is stated Apple released 5 security patches for OS X, when in effect they released one security patch for different flavors of OS X. In all cases this is the same patch for 10.2, 10.3, and both server variants.
Considering Apple releases one security patch every month or two, I would hardly consider that as evidence of weak security policys.
How many different patches were released for XP within the last 6 months compared to Apple? I thought so...
Looking through Secunia's website - who I'd never heard of before reading this article HINT HINT - it appears as if Apple patched the very exploits the TechWorld article is harping on. This quote seems to have been blown way out of preportion by Kieren McCarthy:
He turned that quote into a slew of accusations about Apple being unresponsive over exploits and bugs. Man they're so unresponsive they provided me with a free security update not but a few days ago! Damn that Apple and their unresponsiveness! Maybe they'll release Quicktime 6.5.2 to unfix the problem they fixed of malformed Quicktime files crashing QT with the 6.5.1 update. I'm sure there are some real security exploits in OSX that are something to actually worry about. The ones outlined in this article...not so much.
I'm a loner Dottie, a Rebel.
Hear hear! Well spoken, Bruce!
I think what really matters is how secure an OS is when installed with the defaults. Windows is completely open... At least all the Linux installers I've used asks the user to create a root username and pass, then tells the user that they shouldn't usually log in as root and gets them to create another user.
-Derick
While Apple seems to be patching fairly regularly, the last security update (the group of 4) was a little lacking in that it offered no explanations. Microsoft (which has gotten good at revealing weaknesses) at least gives a full technical explanation, often right down to the files affected. As I work in IT, I'm often left installing patches with Apple with no clue what they're doing under the hood (a bad situation to be in, but worse if we didn't patch at all). Fortunately, Mac users are a very small minority at my company. Also, the guys who's putting together some of the patches seem to be falling asleep at the wheel. The last Quicktime upgrade (33 MB) apparently include 18 MB of the Quicktime logo for each of language it supports: Not So Quickthinking on this page. That's just lazy work.
Who is to say that certain virus protection companies are hoping that virus infections in OSX start to become wide spread. I know that most mac users do not use virus scanners, and the virus scanners that are available seem to only list windows viruses with about 1000 very old Mac viruses. To allow widespread security breaches promotes the creation of viruses, which in turn, promotes the creation and sales of antivirus software.
What I have always wondered is if there are groups of people who actively try to write viruses for OS X. I would imagine that there has to be at least one person who has tried to do so, even if it is just as a proof of concept and not intended to be released in the wild. At least the idea of being the first person to write a majorly destructive virus for OS X must be appealing to the type of person that creates Windows viruses for fame. I think that answers to questions like these are important because it relates to how we view the security of the system. Along the lines you mentioned, how can people say that OS X has very tight security if it has never been put to the test in the wild? That is like saying my home is ultra secure because it has never been broken into, when, in reality, I leave my doors unlocked and all my windows open.
SIGFAULT
> I will mention that I've never heard of a mac worm, a root exploit that's actually been carried out against a mac, and so forth.
Now you're mixing two different things. First, a worm on the scale of blaster/sasser is not likely to happen soon on a Mac, if you look at how they spread: they just attack random IP adresses. Guess how often they'll hit a Mac. Spreading a Mac worm this way will be quite slow. The problem is mostly single root exploits. A remotely rooted Mac is possible, but unless it's a high profile site, how would you know about it? Do you think I'll make the news if my iBook gets rooted? Check this thread: you can get remotely rooted if AFS is on (meaning if you turned on Personal File Sharing). The lesson: don't let your guard down just because you're not running Windows.
Despite the article's assertions, no evidence of widespread security problems, or lack of effort to solve them, is offered. The only real question is Apple's lack of communication with the public in the nature of the problems.
I bitch a lot about Slashdot for its biased summaries and viewpoints, but this time I have to applaud it for sounding rational. If only this sort of calm, rational perspective was applied to all the articles posted!
Just felt like pointing it out. Good job in this instance.
Macintosh machines are such a small percentage of the personal computer market they're not really an interesting target for virus makers.
Not only that, but because they are a small percentage, it would be difficult for a Mac worm to spread because it would have to try a lot of IP addresses before it found a Mac. Same thing with Linux, though there are a lot of Linux web servers out there.
However, a multiplatform worm would be effective. A worm that could spread between Windows, Linux, OS X, etc. Of course then there would probably be different exploits for each OS. If there was an application that ran on each OS that it could exploit and spread through (e.g. Apache), that would be the ideal for a virus writer.
#!/
Apple didn't develop the patch on one day. @stake and Eeye follow responsible disclosure policies. Apple has known about these problems for weeks, and the announcements were timed to follow the patches.
Apple is hiding the fact that this is a REMOTE ROOT exploit in Apple developed code. There have been issues before, but they have come from external projects, like OpenSSL and Apache. This is a huge deal, and if Microsoft understated the importance of a patch like this, Slashdotters would be all over them.
Microsoft's experience with this has made them too sensitive. Everything is "critical" now, which makes it hard for SysAdmins of hundreds of machines to tell the difference between "change window" critical and "shutdown the site and patch all night" critical.
You obviously care too much. This is your 5th sarcastic post on this topic alone. What on earth happened to you to make you sit on Slashdot, reloading this topic and posting over and over?
Man, I haven't read such an obviously antagonistic bit of tripe like that in a long time. Mentioning 5 possible exploits which all require default-off services to be enabled, only one of which could lead to a system-wide compromise under 99% of normal circumstances, then calling "Sasser" trivial in comparison (sorry.. "a blip") is not only completely incorrect but is irresponsible journalism.
The AFS vulnerability, which is the only process in the whole list which runs under root privs, would require someone be running AFS (the Apple equiv of NFS) over the Internet. It has been known for a very long time that NFS is *ONLY* for internal trusted networks. AFS is turned off by default on Macs, and the vast majority of users (certainly almost all home users) would never need to enable it.
The Quicktime vuln would only affect files owned by the executing user. Certainly a pain in the ass, but not fatal or prone to "zombification" of your computer like Sasser.
The Apache vulns, IIRC, are of the DOS type (one is a memory leak condition). Irritating, but not critical, unlike Sasser.
Kieren McCarthy should be ashamed of himself for writing such a disingenuous load of crap as that article. Microsoft's history of disclosure and cooperation with security research firms is ** FAR ** from unblemished.
I have something in common with Stephen Hawking...
With all due respect, this is much ado about nothing. Let's examine some of the claims:
* Some older vulnerabilities in Apache 2 can be exploited by malicious people to inject malicious characters into log files and cause a DoS
Who is running Apache 2? Are most OS X users running their own web server in the first place? This isn't an Apple issue. Anyone who is running Apache, which includes all flavors of Unix as well as Windows has the same issues, but of those, the 2.x tree?? A tiny minority probably not even worth mentioning. This isn't necessarily Apple's responsibility unless they've branded Apache 2 and offered it as some core feature.
* Two vulnerabilities in the IPSec implementation can be exploited by malicious people to conduct MitM attacks (Man-in-the-Middle), establish unauthorised connections, or cause a DoS.
Again, this is an OpenSSL issue, not an Apple issue, and it has nothing specifically to do with Apple. The circumstances under which this exploit would be taken advantage of are pretty limited. That's not to say any of these issues shouldn't be addressed, and maybe Apple should more accurately call attention to these vulnerabilities but they aren't really the issues justified by the FUD being spewed.
* A vulnerability within AppleFileServer can be exploited by malicious people to compromise a vulnerable system.
Ok, this may be ONE issue so far that is attributable to Apple.
* An unspecified vulnerability exists within the CoreFoundation when handling environment variables. This may potentially be a privilege escalation vulnerability. This has not been confirmed, though.
WTF? An "unspecified vulnerability" that "has not been confirmed"? Did the lawyers from SCO write this article?
* An unspecified vulnerability exists within RAdmin when handling large requests. This may potentially be a system compromise issue. This has not been confirmed, though.
More unconfirmed vulnerabilities? Nice FUD.
I dont' spend much time talking about my heart condition, so when people ask me about it, I give them odd looks, explain it away and generally dismiss it.
Mind you, I don't have a heart condition, or at least, not one any doctor has identified. I guess I *could* have one and just don't know it. Sure I do some of the things that could lead to a heart condition. Don't smoke but do drink. Don't eat fast food but do enjoy butter on my baked potato, that sort of thing.
I think that this journalist is trying to spread FUD about the Apple dieing of a heart condition it doesn't have.
I only came here to do two things; kick some ass, and drink some beer...looks like we're almost out of beer.
I read this article and thought it utter FUD. First the guy asserts that Mac OS X is rifed with security holes, when really compared to Windows there just aren't that many. But it seemed his real complaint is that not a lot of people are talking about the security holes. I mean, in all honesty, why would Apple talk about the security holes, unless they were so plagued by them that consumers were continously calling up complaining, there really is no reason to talk about a security hole.
Investigate it, acknowledge it, and patch it-- that's what I see as the typical course of action, even for Microsoft, and Apple does this reasonablly well. In fact, most of my knowledge about the various Apple related security holes comes directly from Apple in their knowledge-base articles related to the various security patches. It's only randomly that I hear about a security hole that will also effect Apple from a third party source, before I hear it from Apple. But I'll admit to most of my security subscriptions tend to cater to the PC, for obvious reasons.
Also, it seems to me that Apple spends a fair amount of time patching security holes in the various open source solutions its using/tying in with Mac OS X. Which means that technically many of these security holes are also effecting Linux, and Unix machines as well. Like the security update from yesterday or the day before address issues in Apache, IPSec, OpenSSL, and CUPS.
The guy mentions the QuickTime flaw, which was patched weeks ago by Apple, per normal, in a quite automated QuickTime update. He then also mentions that "trojan" that never was. Basically a proof of concept idea that was published, but works technically not that much differently on a Windows machine. Basically, someone can change the icon of an application to that of an MP3 file, and run code when double-clicked. Did anyone besides Intego consider this a big deal, even Symantec scoffed at it, and scolded Intego, though they did duly post a low level security warning.
The truth is, to my knowledge Apple doesn't rate security updates. An update is either a normal bug fix or feature addition, or its a security update. Apple expects all its users to Apple each of their security patches, and to the best of my knowledge has never used a security patch to ship in unwanted software or system changes. So why complain that Apple hasn't called the security updates a "critical" security update. The knowledge base typically includes who original posted the hole/flaw, and the item number, so you can go read the details yourself, and look at the rating attribute.
Blah, blah, blah...isn't this just more of I'm looking, scraping, scrouning for something bad to say about Apple security. I guess, I'd be more forgiving, if the article actual focused in on the various security issues, as opposed to chastising Apple for what, not taking out a press release about them?
Lets u begin what 2 of those 5 'highly critical' advisories, according to that linked page haven't been confirmed yet. One does indeed wonder that if Apple is allegedly not taking them seriously, and this reporting place is, why are they not in fact confirmed. Perhaps we can argue just as well that Secunia is doing a 'half-hearted' job at testing.
Ok now see how one can go off half cocked? this is the statement from McCarthy " Apple explained that it was "aware" of a Trojan horse that could be used to compromise its systems and was investigating it, but refused to say any more"
Im not really sure what more one would want them to say? Perhaps "OH MY GOD THIS IS A DISASTER!" Well clearly its not. But if you want to hype it for an article sure whatever. Perhaps you want want to know exactly when it'll be fixed. Good let them give you some fictional date that they makeup before they have actually investigated it. But hey sure you can hype in your article.
To be annoyingly pedantic, apache isnt part of the OS. Additionally most people dont use the (Apache) built in web server. I should also mention that none of the 3 articles linked about the Apache problem are listed as 'highly critical' anyway. (2 moderate and one 'less')
IPsec ones.. both moderate. So this leaves us with 2 unconfirmed, 2 moderates, and 1 left of privilege escalation. I cant say much about it as I dont know anymore than the rather curt descriptions.
The really best part is is what is claimed to be "Apple's half-hearted effort to these holes" Links to a page on a security update for them. But hey if you need to hyper that a fix means nothing is being done because you have an article deadline.. then sounds like you are doing a "half hearted" job.
We can add that the "trojan" they refer to requires that the file be embedded in an apple-specific disk image format and can not be triggered by a normal download... and anyone in a position to convince someone to run the "trojan" has plenty of other avenues of attack.
And that's the real problem I wish Apple would catch on to.
The biggest security problem in Windows is one that most people, and most "official" security announcement sites, don't even pay attention to... and that is the tight integration between Internet Explorer and the rest of the system. It still amazes me that people don't routinely pillory Microsoft for the way their cynical legal tactics to bypass their agreement with the DoJ have made IE and Outlook the biggest virus distribution systems in the world.
And the way Apple has integrated FTP with Finder and is increasingly using Webkit in basic utilities and applications really disturbs me. Web-enabled installers (that automatically run the installer on a disk image mounted over HTTP (!)) are a horrifyingly bad idea, and "fixing" one of the security holes by having the installer pop up a warning before it runs scripts in the package is just daft.
This is a much bigger problem, and like Microsoft's abuse of IE it's a basic design flaw rather than a patchable bug. If you're going to demand action from Apple, work on this instead of worrying about whether they played enough "mea culpa" cards when patching a buffer overflow.
but who really cares? Basically, virus writers have only one goal in mind: FAME.
Given that Apple only has 5% of the market share, spending your time writing a Mac virus is somewhat foolish in terms of investment/reward. Even if 50% of Mac users were infected with it, it would barely make the news because so few corporations use it.
It's when you talk about lost productivity and damage that viruses make the news.
- One is simply very quiet about security period.
- The other one makes a huge deal constantly about how they are improving their security, how they've changed their ways this time really and they're sending all their programmers to a 4-week course on how to not write buffer overflows, and windows is the most secure OS more than any of the competitors, etc.... while simultaneously trying to keep things as hushhush as they practically can about vulnerabilities and publically and loudly blaiming public informedness about security vulnerabilities for the fact the security holes they wrote are being exploited.
One of these two companies is being silly. The other one is being actively hypocritical and duplicitous.Irritable, left-wing and possibly humorous bumper stickers and t-shirts
Apply Occam's Razor.
What is more likely - that somebody else (assuming the security firm that reported it didn't write Sasser) discovered the flaw, wrote an exploit, and released it within days of Microsoft's detailed report.
-or-
Somebody read the detailed report, wrote the exploit, and released it into the wild a few days after reading.
Hmm. I wonder. %)
# # #
That said...I second the idea that there's no good reason to essentially provide the blueprints of either fix or exploit to anybody but the reporting party.
I know there is some issue with "What if the company gets the report, but doesn't do anything with it ?" - in which case documenting the flaw may be the only way to 'force' a company to fix it. However, it may be more strategic to release bits of the flaw-documentation at a time, so that over time the likeliness of an exploit becomes higher - but only by those with enough knowledge, rather than every script-kiddie on the block. A company would likely (hopefully) provide a fix before a full disclosure of the flaw would be given, understanding that exploits will be released into the wild at some point.
Apple apologists are the most amazing bunch of people that I have ever encountered.
*Takes bow* Thank you so very much. We're all honored being the most amazing people you've ever encountered! :-)
When it was revealed the Apple sold a $300 super-walkman that needed a $100 exchange for a refurbished iPod & battery after a year,
Wait... Did you see a battery door on the floor model or something? At what point did the salesman tell you about a cheap battery replacement program? Oh, you thought, "I payed $BIGDOLLARS for something and now you owe me the world." Next you'll tell me the cigarette manufactures owe you a lung transplant because they only had a warning label on the pack for a couple of decades before your disease.
Now the some bleating shit about security patches: "Apple is not revealing exploits to protect us"
Would would your reaction be if Steve Ballmer got up and said "patches do not matter, we are withholding them for your protection"?
Apple is withholding patches? Wow, they must have money to burn, ya know, developing patches for the sheer joy of it. Every time a problem has become public, I have a fix via software update within a few days. What? They need to deliver a white paper on the exploit, complete with code examples and a root kit too?
The argument "Well, the CIA used NeXT, so OSX is secure" holds no water either.
Well, how about, "The core of the OS is wide open for your inspection and repairs, so knock yourself out." Show me the exploits.
I hear Steve Jobs is going to ask you to drink the kool-aid! Get your cup ready!
Flamebait.
The last line of the article is "Apple's half-hearted effort to [patch] these holes can be found here. While Secunia's full rundown on the problems can be found here."
The first link goes to a very complete page that details Apple's security updates back to Sept 2003. It looks fully-hearted to me. This page states "For the protection of our customers, Apple does not disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases are available." Sounds reasonable.The second link details a security notice that was released on May Fourth with some security issues. The fix is to dl the patch Apple released on the third.
Nothing to see here. This guy is taking a non-issue, spreading around some FUD and hoping that soemone will bite.
Funny, Microsoft gets attacked at slashdot for taking too long to patch an issue, and Apple gets a free pass for ignoring them?
Well, I dunno, I think it's less that than just that slashdot is naturally reactive. They aren't reacting to Apple at all. They're reacting to the article. And this article is very poorly written. It goes into basically nothing except Apple's presentation in the ASU dialog box of update descriptions, while failing to give any hard data or really any evidence whatsoever as far a whether Apple is taking any amount of time to patch security holes.
If this guy had actually gathered some sort of hard data that gave an indication of whether Apple actually was taking excessive amounts of time to patch security holes, or whether people weren't installing ASU updates, or Apple was trying actually to hush up security vulnerabilities, I think you'd see a very different reaction. There was one time that Apple took a little bit too long to be reasonable to fix a security hole and when the slashdot story on the subject came out they were rightfully bashed for it. However in the absense of any hard data we're left only with the ability to respond to the article, and well, look at the article.. about the only response possibly is "poorly formulated, poorly researched rant".
Perhaps a good way to test your theory would be to post to the slashdot front page a really *bad* article attacking Microsoft's security practices and see if people agree with it or if they go "wait, this doesn't make sense".
I'm actually a moderately well known individual in the security community, but I'm posting this anonymously because, well, the subject line (and, I suppose, Author field).
I've been an Apple user, off and on, since the IIgs days. There's always been a good amount of zealotry about the product line, but what can you say? The gear is pretty good, and has a good reputation. Unfortunately, no small amount of that reputation is maintained through absolutely vociferous defense of any arbitrary behavior.
I'm not just talking about buffer overflows. When Apple's DHCP implementation made it trivial for anyone on the LAN (even a coffee shop wireless network) to remotely take full control of the machine, the response was not one of confident correction but defensive redefinition -- "It's not a bug, it's a feature, you unintelligent carbon rod." And when Apple became the first operating system ever to be exploitable via its generic text forms -- the response really was yet another circle-the-wagons-and-apply-the-double-standard. And in case you don't believe me about the obsessive, O'Reillyian hijinks going on here -- look at the Boingboing response to what's just an open-and-shut data/executable confusion vulnerability. "OS9 is vulnerable too" is not a defense. "But you need to GET the file first" isn't a defense either -- that is , um, sort of the point of a Trojan horse. "An antivirus company came up with this" -- no way, you mean antivirus companies actually try to find security problems? This type of alternation between non-sequitor and ad-hominem is par for course. And don't say it's always this way -- there's no other operating system vendor who either themselves or through their users reacts to security risks like this. Not Microsoft, not the various Linux distributors (who really are getting hammered), not Sun or SGI, and certainly not Theo or his security-obsessed users. Everyone else seems to have realized it's safe to openly acknowledge and repair faults. Apple is the exception. "Like pulling teeth" comes to mind.
People, this is technology, not politics, and I don't even like this kind of behavior in politics. The more apologism there is for Apple failures -- and yes, even the eternally scrappy upstart from Cupertino can screw up, just look at your Powerbook monitors -- the less likely we are to actually see what ultimately we all want, which is correctly behaving technology.
That's all I have to say on this.
"While Apple seems to be patching fairly regularly, the last security update (the group of 4) was a little lacking in that it offered no explanations ... As I work in IT, I'm often left installing patches with Apple with no clue what they're doing under the hood"
Apple's description of the patch was rather terse (AppleFileServer: Fixes CAN-2004-0430 to improve the handling of long passwords. Credit to Dave G. from @stake for reporting this issue."), but it provides the reference (CAN-2004-0430) that provides full details. Admittedly, this did require a google search, or reading the usual advisory lists. But it's certainly not hidden from anyone who wants the detail.
Enable 3D printed prosthetics!
Perspective: people are surprised by all the security updates that Apple releases. Fact: By default, NONE of the exploitable holes are available by DEFAULT out of the box. There are ZERO services running, so no remote vulnerabilities. ...which is a ton more secure than a Windows PC out of the box (and some linux boxes). The only time the Mac OS X system can be compromised is if the exploitable services are turned on. Most of these are exploits to open-source software such as Apache, OpenSSL, CUPS. Recently, AFS was patched and that isn't even running when you turn on a Mac.
I think this sums up the arguement nicely.... so why were people still ranting about BS after 47Ronin posted it?
I'm not anti-microsoft. I'm anti-bullshit. Which means I'm anti-microsoft.
My point being that, first off Apple might want to be quiet about it because the majority isn't effected, and second the vunerabilities aren't nearly integral to the OS as most windows vulnerabilities are.
My apologies if this is redundant.
This is FUD. Apple doesn't owe it to their customers to explain security holes. Why would they weaken their position so? Just keep quiet about it and fix it. And most of the security flaws of late were in third party packages that Apple didn't write.
The article has a sensationalist headline and it says that the OS X security holes, which never made it beyond proof-of-concept, because they were patched quickly, are more dramatic than SASSER, which has cost millions of dollars and possibly a few lives by knocking out banks and other financial institutions and the British Coast Guard. Holes that were never exploited and that aren't even exposed OOTB are worse than SASSER? Doesn't this fact prove this to be an agenda-driven article?
If not, then consider that @Stake, one of the cited sources, is Microsoft-owned and notirious for self-aggrandizing FUD designed to promote their services.
The reminds me of the FUD about an MP3 "trojan horse" vulnerability, which was blown way out of proportion as well. Such a theoretical virus was billed as an OS X vulnerability when it would in fact work in Classic as well. They tried to make a big deal about the fact that it was no longer safe to just double click on some file you downloaded. When was it ever?
(%i1) factor(777353);
(%o1) 777353
So......
Apple and Microsoft are both big corp. entities;
as such the downplaying of security issues would be expected.
This strongly biased end user and multi platform support professional would like ad his 10 cents worth.
1. Apple and Microsoft both have services with discovered and
yet undiscovered flaws.
2. Apple and Microsoft both release security patches to address those flaws typically when *discovered*.
3. Apple tends to patch these flaws *before* they become a
problem for the end user base, discovery is typically done by the open source community on which many of these flaws were inherited.
4. Microsoft tends to patch these flaws after the end user base
has brought the problems to their attention, discovery is typically done by the end user base under extremely painful conditions.
5. Apple and Microsoft both have mechinisms for priv. separation, both suggest using them, only one really practices this at installation time (you guess).
6. Apple tends to use defaults that reduce system risk while increasing end user ease of use (sometimes this leads to potential damage).
7. Microsoft tends to use defaults that are historical in nature
while increasing system ease of use (scripting host, macros, com and wins?) but also tend to expose the end user in methods not easily understood by that end user.
Where am I going with this? this article is obviously a troll.
When asked about platform preference I suggest using the tool that is right at the time and place of need.
i.e. no money? linux and x86
i.e. money? modern mac hardware and OS X
i.e. you paying my bills? Solaris/Sparc Windows/X86
again, biased but hey!
Unix, an obscure operating system developed by bored researchers in an attempt to get a better game playing experience.
You're right, it's very often the case that worms and such are exploiting vulnerabilities for which Microsoft issues patches long before. However, there are a few reasons that's the case.
1) My very-non-expert understanding of Microsoft's update mechanism is that there are several semi-overlapping systems which are relevant, and that some or all of them do not default to running automatically. (I've never used Windows myself, so it's entirely possible that I'm mistaken about this. It's the impression I've acquired after listening to many Windows users.)
Contrast this to Apple's Software Update tool, which defaults to checking for updates once a week, and handles all hardware and firmware from Apple. It requires explicit permission from the user to perform upgrades, but it does take the liberty of downloading "important" updates before requesting a final go-ahead, making it as painless as possible.
2) Microsoft's patches have a pretty high incidence of causing problems for previously-working systems. My understanding is that this is often related to a very inflexible shared library system which encourages third-party developers to overwrite standard system DLLs with their own versions left and right, predictably causing problems upon future update.
While it is absolutely the case that updates from Apple occasionally cause problems, it seems to be relatively rare. I personally have no qualms about simply agreeing immediately to any update Apple offers me; I've been doing so for five years now, and I haven't had any cause to regret it yet.
So, yes, a very high percentage of systems out there are lacking patches which Microsoft has made available. But there are still some senses in which Microsoft is very responsible for that being the case.
The number of vulnerable machines strongly affects the time it takes for a worm to spread.
Consider the extreme cases:
If there are two vulnerable machines, and the first one is infected by hand, it will take on average 2^32/2 or about 2 billion tries to find the other one.
If every IP address has a different infectable machine behind it, the work gets parallelized and a sufficently smart worm could infect every machine in the time it takes to do 32 infections. Even a less clever worm that probes randomly (thus duplicating a lot of effort) would infect nearly every machine after a few hundred infection-cycles.
From the article:
Secunia has given the series of patches a "highly critical" rating, which it explained was due to the Apple's dismissive attitude to one of the holes. Secunia described a vulnerability within AppleFileServer that allows for a buffer overflow as an attempt to "improve the handling of long passwords", but security specialists @stake warned that it could lead to the full system access.
These were the same guys who fired one of their employees because they had the temerity to say something bad and substantial about Microsoft.
Link.
Pretty FUDdy article to me.
I suspect it has more to do with some people's masochistic desire to make themselves look idiotic by bandying about terminology they obviously don't understand. Apparently "security through obscurity" now means things like not providing the world with step-by-step instructions for accessing your machine. I guess keeping your passwords secret is also "security through obscurity" now too.
I'm sure it's waaaay too much to ask all these parroting dumbasses to actually read a book on security. So let's just make fun of them.
Instead of "claiming" that OS-X has a horrible security issue, with practically no proof to back that statement up, I'd really LOVE to see a OS-X worm. In-fact, I would put up some money to the author of such a worm. Because up to this point, there has still been 0 serious security problems in OS-X.
I do tech support all over So. CA, for mac and pc clients. And I have made 10x as much money from running to the PC client's LAN and ridding it of worms, spyware, and such, than to my Macintosh clients.
I've been using OS-X since the original OS-X Public Beta, and have proudly upgraded ever since to the latest version (10.3.3). I seriously laugh at anyone that attempts to dog on OS-X's security (well, lack-thereof). I am proud to be able to take my 12" Powerbook G4 anywhere, and fix/troubleshoot anyone's computer or network without worrying about getting a virus, or worm, or anything.
I easily backup friends and clients PC's through firewire and OS-X (w/ NTFS Addin for Pre OS-X 10.2) and reinstall their system in a heartbeat, without worrying about getting a boot virus, or prefetch virus (what a pain!) or a random piece of sh*t adware software.
I am proud to own a Mac. And yes... I really do LAUGH in the face of anyone attempting to put down the Mac, when their reasons are 99% crap. (unless of course they are talking about playing games!)
In conclusion, I really would love to see a "outbreak" of a virus for OS-X. This happens DAILY for Windows. This event might actually let some reporters report that OS-X isn't so secure. But... until that day my friends... read 'em and weep.
Viva la OS-X!
- Insolence (Mac User/Evangelist)
The most used product will always have the most exposed flaws.
Apache has demonstrated this is simply false.
Tweet, tweet.
Yeah, those damn companies. Bad bad bad! You think you can hide these inexistent flaws? These null security holes!? You think you can keep the public from these VULNERABILITIES that... we haven't found yet?! I say no! WRONG!
YOU will pay for your treacherous hiding of non-existing security holes. Just picture it: Some day, a non-existent hacker will get on his non-existent computer and create the ultimate blank computer virus and you'll see! Oh-hohoho... THEN it'll all come crashing down. You know it'll happen!
I'm going to go use Windows, which I KNOW has too many security flaws to count, and I KNOW will fail me at the drop of a hat. Go back to where you came from because I know I'm using a product that has REAL flaws. Bah!
I am NOT a number! I am a - oh wait, I'm number 761710. Look! 761710!
--> http://vyruss.cjb.net/computing/FUD_essay.html
It's a bit long but this excerpt in particular seemed to relate perfectly to the subject being discussed:
That would be every single Windows user. All Windows versions.. at least all that are from the poisoned NT tree, actually make an RPC call back to themselves when they log in. If you disable RPC on a Windows box.. the box can't authenticate LOCAL users! How's that for clever design?
I'm not feeling witty so bite me
How many network ports are open when you install Mac OS X? NONE. not one. buy a mac, turn it on, put it on some network, run any port-sniffing utility against it, such as nmap from another machine, guess how many hits you get back? NONE. NOT ONE.
Now. Look at windows. for years m$ has wanted to facilitate the life of LAZY corporate network administrators and enable all kinds of services out of the box upon installing their operating system. This behavior has been "inherited" even in the more "personal" versions of windows.
NO OPERATING SYSTEM IS SECURE IN ABSOLUTE TERMS. Apple never made such claims, neither are mac os x users fooled into believing so. Security vulnerabilities are a fact of computing.
The key here is that security works in LAYERS. Just like Ogres and Onions, security has layers: Network, Operating System, Applications, User Education among a few.
Various practices promote better security at various layers. Apple has consistently been better at this than Microsoft ever has. Let's look at a few random considerations:
In OS X, software updates are handled thru a dedicated software update program that functions within user-level permission constraints. On Windows, you open your fucking web browser and go to windowsupdate.com to upgrade your computer, while the software installation happens INSIDE THE FUCKING BROWSER, all this made possible thru this security-holes-ridden framework called ActiveX. Now, try to educate users to NOT click yes on ActiveX warnings when they're about to download "this really cool screen saver"?
Most windows installations have for years at least enabled file sharing by default, and various pieces of other crap running on port 139. Web sharing, IIS, web-based admin, RPC, the list goes on.
The core pieces of OS X that are affected by security considerations are open-source, part of the Darwin framework. While security holes will always be popping-up, this approach to operating system development and maintenance promotes maturity and better security.
Since Apple has fairly nicely layered its security model in its operating system, impact of security holes are typically less dramatic. Most of what this article is accusing Apple of is not publicly scream "OH MY FUCKING GOSH THERE ARE A BUNCH OF HOLES IN OUR SYSTEM". Indeed, they sometimes put a bit of a spin and don't feed rumors any further. Just because Apple doesn't return calls from sensational-headline-hungry journalists, does not mean they're not actively working with the people they should be working with: Security experts. Just look at Apple's release notes. They're doing exactly what they should be doing: citing advisories outlining the security holes for anybody to look them up, and publicly acknowledging and thanking the people who found them.
Kieren McCarthy's article is ridden with fallacies, here's one of my favorites: "In other words, it makes Microsoft's current Sasser problems look no more than a nasty nip". I rest my case.
Extraordinary Vacations. Exceptional Prices
There was a little bit of tooth-cutting on an Atari 520ST, but the first computers I used very regularly were macs, and I eventually ended up with a job doing mac desktop support. After a few years of spending time with macs only, I started using and adminning linux. Redhat 3.03 was my first, newbie that I am.
Then for quite a while I was very torn about the two. Linux was clearly the sane choice for servers, but I found that they each frustrated me in about equal measures as a workstation. I went back and forth between running macos and linux on my macs. (Well, and a little beos.)
So when macosx was released, it felt as if it were written pretty precisely for me. There are still a few ways here and there in which it's not quite as good a unix as linux is, nor quite as good a desktop as paleo-macos was. But being almost as good at _both_ is truly a whole greater than the sum of its parts.
Honestly, Windows never even came into it. By the time I had enough familiarity with computers to be able to make any kind of judgement about platforms, it seemed very clear to me that Windows users were pretty regularly unhappy, and struggled with things that I'd just always taken for granted.
So, my bug was fixed in software that doesn't exist. At least they told me.
And I'm more amused than annoyed. At least one can submit bugs, and they generally have fixed all of them by the next major release. But open and communicative...not really.
That is like saying my home is ultra secure because it has never been broken into, when, in reality, I leave my doors unlocked and all my windows open.
Your home may not be "secure," but it is safe; that is to say, it is a statement of social dynamics more than the number of padlocks on your doors when you say "I live in a safe neighborhood; I can leave my doors unlocked at night." That may be naive, and the first attack is always the most remarkable, but still it can essentially be true. Saying you don't need to lock up is true if you live in a community where break-ins are rare.
A similar statement can also be true of Macs and viruses, presently. Right now, it's simply a safer neighborhood. Growth may change that, but it hasn't, so far.
Yes, this is much along the lines of what I was trying to say.
"A similar statement can also be true of Macs and viruses, presently. Right now, it's simply a safer neighborhood."
What I really want to know is if the "neighborhood" that Macs exist in suddenly turned as violent as the one that Windows is in, is if they would hold up. I think eventually, someone will try to create something that will attempt harm to Mac users and I would like to know how successful someone might be at this attempt.
SIGFAULT
Eeye and @stake contacted the Apple security team after finding these bugs, and coordinated the timing of the announcements to follow the availability of the patch.
The controversial part of this practice is when the software vendor stalls the fix (which always happens). At what point does @stake go public with a vuln? Three months? A year? There are guidelines that all of these organizations have agreed to, but they aren't legally enforcable, and so there is a lot of gray area in how long a company can wait to release a fix, and how they must classify it afterwards.
Forgive me, but who is Kieren McCarthy? And how can he prove the existence of something that he by definition cannot know anything about?
And why does this always happen whenever Windows gets the shit kicked out of it?
Kieren McCarthy, whoever you are, I am sure this comes as no great news to you, but 1) you are full of it; and 2) you're a dupe - perhaps a paid dupe, perhaps an unpaid (and therefore even more duped) dupe.
My argument is only anecdotal, but even as such it offers much more substance and evidence than this charlatan.
I have never - and I literally mean never - come across a company so freaking security conscious as Apple. I mean, these guys are out in front and thinking and preparing for possible security vulnerabilities waaay down the line - years ahead.
All you have to do is read the programming tutorials to understand this.
And their grasp of Unix is excellent. These guys really know security, and for them security is a top, if not the top, priority.
Exposing a bug in OS X gets you an immediate response - and by 'immediate' I mean 'immediate': within a couple of hours at the most. And the contact you get becomes a liaison between you and the development team. And even more impressive, they actually keep after you to complement your information so they can get to the bottom of it.
Now honestly, Mr Kieren McBullshit, who else does this? Eat you know what and do you know what. You should be ashamed.
There used to be a time when Apple traced every hardware flaw back to the design phase - and corrected it. This thinking they have today about software and security echoes that type of thinking.
You might accuse Apple of many things, but lax on security is not one. My information is only anecdotal, but it's more than good enough for me: in terms of security, Apple are simply best.
So crawl back into the woodwork, Mr Microslave, until next Windows gets walloped by a simple hack written by a teenager sitting in his underwear at his computer halfway around the world.
We'll be waiting.
"And the other 3? Apple should at least point to the relevant advisory."
Apple did. I'll quote more of the knowledge base article:
"* CoreFoundation: Fixes CAN-2004-0428 to improve the handling of an environment variable. Credit to aaron@vtty.com for reporting this issue.
* Apache 2: Fixes CAN-2003-0020, CAN-2004-0113 and CAN-2004-0174 by updating to Apache 2 to version 2.0.49.
* RAdmin: Fixes CAN-2004-0429 to improve the handling of large requests
* AppleFileServer: Fixes CAN-2004-0430 to improve the handling of long passwords. Credit to Dave G. from @stake for reporting this issue.
* IPSec: Fixes CAN-2004-0155 and CAN-2004-0403 to improve the security of VPN tunnels. IPSec in Mac OS X is not vulnerable to CAN-2004-0392."
Admittedly this is listed in the knowledge base article, not in the consumer description of the patch, but it doesn't seem unreasonable that a sysadmin would read the KB article for the patch before installing it.
Enable 3D printed prosthetics!