Apple Quietly Goes After Mac Trojan With Update

Th'Inquisitor was one of several readers to point out coverage of Apple's stealth security fix, included along with the recent Snow Leopard 10.6.4 update. Graham Cluley of Sophos first noticed the update to protect Mac computers from a Trojan, and the fact that Apple didn't mention it in the release notes. The malware opens a back door to a Mac that can allow attackers to gain control of the machine and snoop about on it or turn it into a zombie. "You have to wonder," writes Cluley, "whether their keeping quiet about an anti-malware security update like this was for marketing reasons." While he certainly has a point that Apple benefits by its users' belief that the platform is secure, you also have to wonder whether any such publicity from a security company has a marketing subtext, as well.

Security as it should be

[GreatBunzinni]

This is a good opportunity for the world to rethink its perception of what viruses, trojans and the like are. Due to the vast and never ending list of problems and software defects that plague the dominating platform (i.e., microsoft windows) since it's inception and continue to affect it up to this day, the world has been conditioned to think that having a base system with so many profoundly serious defects is somehow acceptable. I mean, these bugs are so serious that they even let other people take over your system, a system that you've paid with your hard-earned money to be able to use as you use fit. Why exactly should this be normal, let alone acceptable?

In this instance we have a very rare glimpse of what the issue of software vulnerabilities is and how it should be handled. A very serious software bug could be exploited by malicious people to be able to gain control of the system and that problem was fixed by fixing the software bug. That is exactly how it should be. Yet, what Microsoft forced us to believe it is the right way of handling this thing is let that security hole stay wide open. What Microsoft forced the world to believe is that you solve the problems arising from any security bug by paying some third-party vendor for a piece of software that monitors your system for a hand full of instances of malicious code that made it's way into your system through those security holes. And this has become acceptable why? It's as you've bought a house with so many holes that could be used by malicious people to enter your house as they see fit and take over it. The problem lies in those holes being there and the problem doesn't go away if you employ security guards instead of plugging those damn holes your incompetent builder left there.

Re:If they're trying to keep it secret

[phantomfive]

Hiding it makes a lot of sense if you don't want to look bad,

It's really hard for me to believe that's the reason they did it, given the number of ugly things they did announce, including a few bugs that give complete control of the computer just by opening a web page. They could have added a line about updating malware signatures, and if they worded it right, avoided the bad press (I mean, it's not like it's the first time there has been a trojan for OSX).

It is more likely that the internal communication processes at Apple got mixed up, and the people in charge of updating the malware signatures haven't gotten in contact with the people in charge of writing the release notes. I don't think that is an uncommon thing in large (and even small) companies.

Re:this is anything but new

[eihab]

Microsoft in the meantime has gotten much more agile and serious about fixing bugs when they're reported all the while bitching if someone dares go public too quickly for their taste ala Google.

Too quickly for their taste?

I don't know what world you live in where you can patch something as complicated as windows in five days.

Do you know how many versions and language combination of windows there are? Testing and QA that goes into it? Documentation?

It's not like your small little project where you fix a couple of lines and call it done you know.

And also, it wasn't "Google" per se, one of their security researchers did it, and according to his tweets he claims that this was done on his own time.

But sure, let's ignore the facts and label this as a clash of the titans.

Re:this is anything but new

[eihab]

Where in the world except for microsoft the languages is relevant for fixing up bugs or securing the CODE?

The world where you have to deal with RTL languages like Arabic and Hebrew where no matter how simple the patch is, something is bound to get broken.

That's not even considering that the bug was in the hcp:// protocol that's directly related to help/remote assistance and the control panel. How will the patch affect hcp://[slashdot ate my UTF-8 Arabic characters that spelled help]?

That said, I do not have access to the code and I do not know for sure if there are any il8n issues to consider, but make no mistake about it, Windows is not your freaking weekend project that you can fix/QA and push live in five days.

Look, I dislike Microsoft as much as the next guy, but Google's security researcher really didn't give them any chance here.

Had he reported it and it went unfixed for 3 months then I'd be rooting for him and bashing MS like there's no tomorrow. But any bug in a code base as complicated as windows cannot be humanly fixed in the time-frame he gave them.