Slashdot Mirror
Apple Uncommunicative About Security Holes
blackmonday writes "Kieren McCarthy of Techworld argues that Mac OS X is rife with security holes, and that Apple is doing a 'half-hearted' job of patching their operating system security holes, and has a 'strange habit of pretending a big problem is of no significance.' As a Mac user I find this an intriguing article in light of the Sasser Worm and its recent variants." Despite the article's assertions, no evidence of widespread security problems, or lack of effort to solve them, is offered. The only real question is Apple's lack of communication with the public in the nature of the problems.
What people fail to realize is that there are literally hundreds, if not thousands, of people own Macs and many of them are now connected to the Internet.
Imagine the havoc an OSX based worm would wreak at an art school or a large interior design firm. This kind of stuff needs to be taken more seriously by Apple.
I won't say that maybe Apple isn't doing all it could on security holes- I will mention that I've never heard of a mac worm, a root exploit that's actually been carried out against a mac, and so forth. But maybe there's some sort of story about Apple being a little behind on patches occasionally.
However, with all due respect to Techworld and the author, this is really a pathetic attempt at a story. Biases half-truths, no principle of charity (regardless of Apple's good record of *actual* security exploits- not the whole story, but a major part of it) with a comparison to Windows security where somehow Microsoft comes out on top, no hard figures, a poor understanding of security as a whole, and, though it may be a low blow, not very good prose (it seems rushed- i.e. one statement is "Apple's half-hearted effort to these holes can be found here." There's really no proof (hard or soft) for any of the assertions in the article.
In conclusion, there's really really nothing to see here.
RD
I am getting sick and tired of so called "Tech Security" companies who create FUD just to sell their products.
"Slashdot, where telling the truth is overrated but lying is insightful."
Windows is insecure. So is MacOS X, Linux, BSD, Solaris etc if run by an incompetent admin. One system I had to fix was a hardened install of Solaris that was running VNC server without a password because the local admin was too lazy to walk over to a terminal to type commands. However, by the same token. Windows, MacOS X, Linux, BSD, Solaris etc are all secure if run by an admin that knows what they are doing.
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
This is written by a guy who either still writes for the Register, or used to do so. I don't think he's a Microsoft shill, but I think as a journalist he wants stuff to report about, and is probably irked Apple's not feeding him the dope. It's not by accident news is called dope by the press, you know; it's addictive, like food.
That being said, Apple seems pretty good at sending out frequent security updates when needed, and it's dead easy to keep a system patched. Until I see something escaping into the wild, I'm not going to be too concerned. But I will avoid tempting fate by keeping my system patched.
D
Funny, Microsoft gets attacked at slashdot for taking too long to patch an issue, and Apple gets a free pass for ignoring them?
you're statement is a bit misleading - Apple doesn't ignore security holes, they fix them quickly and quietly before anybody realizes where they are. that's a BIG difference.
And then they mention a hole in Apache? WTF? Not Apple's problem.
It becomes Apple's problem when they ship a copy of Apache with every copy of their OS. It may not be their fault, but it's certainly their problem.
Mod down posts with a "Free Mac Mini/iPod" sig, they're spam!
Does this guy even read the things he's linked to? Specifically the eEye Quicktime exploit page which mentions: "Vendor Status: Apple has released a patch for this vulnerability. The patch is available via the Updates section of the affected applications. This vulnerability has been assigned the CVE identifier CAN-2004-0431."
And on the AFP hole, Apple released a patch the same day they were told about the problem. Talk about turnaround time and microscopic exploit windows!
I think this guy just wants people to get riled up about Apple. All I've gotten pissed off about is him. Thanks a bunch, a**hole.
A comment in response to the Scobleizer blog said it best:
I think it's even more disturbing that the author doesn't seem to have a problem with the use of only one source to back up what is a pretty wide-ranging assertion --> security company A says that apple has big flaws, so apple must have BIG FLAWS! OMG! The sky is falling!! -- instead of relying on a collection of different security company opinions to base her assertions.
Stepping back from the apple/*nix/Windows flame wars, the article itself seems subject to the very thing it attempts to criticize - a lack of any sort of depth of information.
--
If we do not do what we must do, what we must do does not get done.
sig: I'm not at home, or busy. please leave new sig after the tone.
You are correct sir! It's not like Microsoft released the patch for the Welchia worm a month before the worms release or anything!
You obviously don't understand the fact that Steve Jobs is a genius. I once witnessed Steve turn a barrel of rocks into gold bricks. The man is amazing.
OS X holes aren't problems, but opportunities for Mac users who "Think Different." to explore the creative possibilities of their Mac from a new, unique and artful perspective.
Apple is a corporation that cares about and nurtures the creative class of our society. "Security" is just another word for mindless oppression by the man.
Microsoft is just and evil corporation in it for the money, and they put holes in their software to sell more stuff!
Conformity is the jailer of freedom and enemy of growth. -JFK
Because we all know Security by Obscurity is the best approach. Funny, Microsoft gets attacked at slashdot for taking too long to patch an issue, and Apple gets a free pass for ignoring them?
No, that's NOT what is being discussed. Apple tends to patch very quickly and quite regularly. However, the information about exactly what is being patched is usually limited to the programs or processes being patched (Safari, Finder, etc.). The discussion is whether or not Apple should be communicating more completely the nature of the security problems it is fixing.
As a geek I'd like to know exactly what the problems were, but that's strictly to satisfy my idle curiosity. I have to admit that it may be better that the details aren't published. I can live without the details (i.e.: a buffer overflow in the XYZ module), but others may feel that the exact exploit *should* be announced. Since I don't have access to the rest of the code, I don't see any reason we should be given the details of a particular patch.
Anyway, the point is that it's not about Apple ignoring or responding to holes: it's Apple's publication of the nature of the holes that is at issue here.
Life is short: void the warranty.
Looking through Secunia's website - who I'd never heard of before reading this article HINT HINT - it appears as if Apple patched the very exploits the TechWorld article is harping on. This quote seems to have been blown way out of preportion by Kieren McCarthy:
He turned that quote into a slew of accusations about Apple being unresponsive over exploits and bugs. Man they're so unresponsive they provided me with a free security update not but a few days ago! Damn that Apple and their unresponsiveness! Maybe they'll release Quicktime 6.5.2 to unfix the problem they fixed of malformed Quicktime files crashing QT with the 6.5.1 update. I'm sure there are some real security exploits in OSX that are something to actually worry about. The ones outlined in this article...not so much.
I'm a loner Dottie, a Rebel.
Wrong analogy. Your analogy applies more to the single user advertising "I have an unpatched system!"
It's more along the lines of a Gym realizing that their locksmith put identical locks on every single locker in the locker room. They can say "Oh. Crap. There's a problem, let's tell our users so that they can decide to use an unsecure locker or not." Or they can say "Maybe no one will notice, the locksmith will be here in a couple of hours anyway."
Still not the perfect analogy, but when you have a large group of people that are operating under the assumption that something is secure, and you don't tell them so that they can take steps to modify their behavior until the security is increased... It's like knowing there's a potential terrorist attack pending, but not telling anyone about it so that they can avoid public areas.
If there's a vulnurability with something, I prefer to know so that I can avoid a particular action until there is a patch. If I don't know, I go on blissfully unaware and may not even download the patch right away as it becomes available. (Especially since Apple has unusually large patches sometimes.)
-Sara
DO they ship apache with every copy of mac os x?
Yes. The configuration is difficult to deal with, but it certainly ships on every OS X machine.
The long story is that you have to go to the "System Preferences" application, click on the "Sharing" panel, and check the box marked "Personal Web Sharing".
I realize that had a lot of "tech" "jargon", but that's how you configure Apache on Mac OS X.
There are no trails. There are no trees out here.
Despite the article's assertions, no evidence of widespread security problems, or lack of effort to solve them, is offered. The only real question is Apple's lack of communication with the public in the nature of the problems.
I bitch a lot about Slashdot for its biased summaries and viewpoints, but this time I have to applaud it for sounding rational. If only this sort of calm, rational perspective was applied to all the articles posted!
Just felt like pointing it out. Good job in this instance.
And FWIW, The Sasser worm seems to ONLY exist because MS fixed an exploit in lsass then immediately documented exactly why it happened, where it happened, and basically how to exploit it.
I call bullshit, prove me wrong! How do you know that the person who created the worm didn't have access to this exploit before? Microsoft didn't find that exploit, a third party did, and without the source. What makes you think that only the third party and Microsoft knew about this.
There have been a great many bugs that I have seen personally, being exploited on IRC months before Microsoft fixed it. Besides even if the worm writer did find out throught he description, it doesn't mean that the descriptions should be removed! The descriptions are there for a reason, if a patch changed a bunch of stuff without saying what it was going to change, I'd be worried as a sysadmin as to whether i'd be able to recover something if it broke. If something goes wacky on a wireless card wpa fix, and your wireless card no longer works you can probably deduce that the patch probably broke your hardware by looking up the last few things that touched anything having ot do with wireless.
What's wrong with just saying, "We fixed an exploit discovered by someone at some company in this component of the operating system." ? Need bugfixes also give information on exactly how to reproduce the bug? Open the farthest right menu so it becomes sticky, move the mouse to the right of that menu in the menu bar (the menu will close), press the right arrow key on the keyboard.
Ah so you realize that most exploits or problems are actually discovered by a third party before Microsoft. Isn't that weird, considering that MS is the only one with the source?? That should be throwing up red flags to everyone, I mean most exploitable bugs are found by the maintainers of the packages in the open source world, the people who know the code most intimately. I wonder why the same doesn't hold true for Microsoft. Security through obscurity doesn't work, obviously. Why try to apply further obscurity by not providing relevant info to the sysadmins...
Can I get an eye poke?
Dog House Forum
Apple didn't develop the patch on one day. @stake and Eeye follow responsible disclosure policies. Apple has known about these problems for weeks, and the announcements were timed to follow the patches.
Apple is hiding the fact that this is a REMOTE ROOT exploit in Apple developed code. There have been issues before, but they have come from external projects, like OpenSSL and Apache. This is a huge deal, and if Microsoft understated the importance of a patch like this, Slashdotters would be all over them.
Microsoft's experience with this has made them too sensitive. Everything is "critical" now, which makes it hard for SysAdmins of hundreds of machines to tell the difference between "change window" critical and "shutdown the site and patch all night" critical.
Can you name a single Windows flaw that was in the kernel?
= CAN-2003-0112
n /MS03-013.mspx
http://www.net-security.org/vuln.php?id=3401
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name
I don't think Microsoft has ever released a patch to the Windows kernel via Windows Update. Can anyone confirm this?
http://www.microsoft.com/technet/security/bulleti
Google is your friend.
How about we start bashing you as making completely stupid and baseless claims... It took me a whole 10 seconds to find NUMEROUS Microsoft Kernel exploits. And this is only a partial list:
XP:
http://www.securityfocus.com/bid/9694
NT4/2000/XP:
http://www.securityfocus.com/bid/7370
http://www.securityfocus.com/bid/3478
http://www.securityfocus.com/bid/4426
2000:
http://www.securityfocus.com/bid/6766
http://www.securityfocus.com/bid/8081
NT4/2000:
http://www.securityfocus.com/bid/10117
http://www.securityfocus.com/bid/1745
http://www.securityfocus.com/bid/1743
Now, that's plenty of kernel exploits, which proves your claim was moronic in the first place. But I digress.
I should have included a ton more, by all means, because of the way Microsoft designed their kernel. Just about every major program, although not "the kernel" is tied into the kernel in such a way that they should be considered part of it. Just look at securityfocus and go through all the exploits where regular programs are exploited to overwrite kernel memory. Frankly, I'd say Internet Explorer might well be part of kernel.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
Perspective: people are surprised by all the security updates that Apple releases.
...which is a ton more secure than a Windows PC out of the box (and some linux boxes). The only time the Mac OS X system can be compromised is if the exploitable services are turned on. Most of these are exploits to open-source software such as Apache, OpenSSL, CUPS. Recently, AFS was patched and that isn't even running when you turn on a Mac.
Fact: By default, NONE of the exploitable holes are available by DEFAULT out of the box. There are ZERO services running, so no remote vulnerabilities.
Those who laugh at you for you having a Mac.. are the people who constantly call you to fix their PC.
Funny, Microsoft gets attacked at slashdot for taking too long to patch an issue, and Apple gets a free pass for ignoring them?
Well, I dunno, I think it's less that than just that slashdot is naturally reactive. They aren't reacting to Apple at all. They're reacting to the article. And this article is very poorly written. It goes into basically nothing except Apple's presentation in the ASU dialog box of update descriptions, while failing to give any hard data or really any evidence whatsoever as far a whether Apple is taking any amount of time to patch security holes.
If this guy had actually gathered some sort of hard data that gave an indication of whether Apple actually was taking excessive amounts of time to patch security holes, or whether people weren't installing ASU updates, or Apple was trying actually to hush up security vulnerabilities, I think you'd see a very different reaction. There was one time that Apple took a little bit too long to be reasonable to fix a security hole and when the slashdot story on the subject came out they were rightfully bashed for it. However in the absense of any hard data we're left only with the ability to respond to the article, and well, look at the article.. about the only response possibly is "poorly formulated, poorly researched rant".
Perhaps a good way to test your theory would be to post to the slashdot front page a really *bad* article attacking Microsoft's security practices and see if people agree with it or if they go "wait, this doesn't make sense".
Security holes in any system will come out more quickly when more people use it. The fact that Apple can (usually) find and fix security holes before they are made publicly known might just stem from the fact that their user base is smaller than Microsoft's and therefore their security holes are more obscure (in terms of publicity, not coding content). The most used product will always have the most exposed flaws. Microsoft simply can't keep up with the number that are exposed; who's to say they same wouldn't be true if Apple was the industry standard? Immunity from errors of this kind can be found in open source type systems, but that's a whole other can of worms.
My point being that, first off Apple might want to be quiet about it because the majority isn't effected, and second the vunerabilities aren't nearly integral to the OS as most windows vulnerabilities are.
My apologies if this is redundant.
This is FUD. Apple doesn't owe it to their customers to explain security holes. Why would they weaken their position so? Just keep quiet about it and fix it. And most of the security flaws of late were in third party packages that Apple didn't write.
The article has a sensationalist headline and it says that the OS X security holes, which never made it beyond proof-of-concept, because they were patched quickly, are more dramatic than SASSER, which has cost millions of dollars and possibly a few lives by knocking out banks and other financial institutions and the British Coast Guard. Holes that were never exploited and that aren't even exposed OOTB are worse than SASSER? Doesn't this fact prove this to be an agenda-driven article?
If not, then consider that @Stake, one of the cited sources, is Microsoft-owned and notirious for self-aggrandizing FUD designed to promote their services.
The reminds me of the FUD about an MP3 "trojan horse" vulnerability, which was blown way out of proportion as well. Such a theoretical virus was billed as an OS X vulnerability when it would in fact work in Classic as well. They tried to make a big deal about the fact that it was no longer safe to just double click on some file you downloaded. When was it ever?
(%i1) factor(777353);
(%o1) 777353
The most used product will always have the most exposed flaws.
Apache has demonstrated this is simply false.
Tweet, tweet.
1) The Windows Update is installed by default, and (annoyingly) pops up when using a new computer until you tell it what to do. The options are simple: 1) Enable Windows Update (on by default). a) Notify before downloading, b) Download automatically, but don't install. c) Auto-download, and auto-install at scheduled time. Default is Updates ON, but just to notify.
2) Yes, in the past there have been a couple windows updates that were not up to par, but they have become much better. The last problem one I remember was about 2 years ago with an Exchange Update (not security related) messing up an existing exchange server. I have yet to have a security update mess anything up, and I run about 100 windows servers. Like any update, I do test on a non-production box (like staging server or development server) before I push to production, but I have yet to have a problem.
As for some patches causing trouble, I seem to remember an update for OSX that neutered the network adapter.
As for DLL hell, that was cured in XP/2K which keeps multiple versions of DLLs
2) Yes, in the past there have been a couple windows updates that were not up to par, but they have become much better. The last problem one I remember was about 2 years ago with an Exchange Update (not security related)
Can I just point out the latest issue with MS04-11 (the Sasser worm vuln fix) if you have the files ipsecw2k.sys, imcide.sys and dlttape.sys - (the last one being PRETTY common on corporate servers) instead of your machine rebooting all the time - it will just hang or fill up a CPU to 100%
Microsoft are now offering a hotfix to one of their patches! priceless!!
'By the pricking of my thumbs, something wicked this way comes'