Slashdot Mirror
Apple Usurps Oracle As the Biggest Threat To PC Security
AmiMoJo writes: According to data from Secunia, Apple's software for Windows is now the biggest threat to PC security, surpassing previous long term champion Java. Among U.S. users, some 61 percent of computers detected running QuickTime did not have the latest version. With iTunes, 47 percent of the installations were outdated versions. There were 18 vulnerabilities in Apple QuickTime 7 at the time of the study. Oracle has now fallen/risen to 2nd place, followed by Adobe. All three vendors bundle automatic updater utilities with their software, but users seem to be declining new versions. Update fatigue, perhaps?
The reason why I'm stalling sometimes with the updates is that the whole process is interfering with my computer usage. There are annoying popups requiring attention at about 30 s - 1 min intervals, activating a random time after computer boot and trying to install 3rd party software, so I need to be in a mood for installing those updates. Not even to mention that every software has its own update software with its quirks. And Windows also now notifies you to disable "unnecessary" start up software, which often includes these update checkers. These should all come from a single source and be handled much more like they are handled in Linux distributions or mobile app stores.
Valid question. I used to install Quicktime... 4? On my Pentium 2 MMX 200mhz computer back in the mid 1990's so I could watch movie trailers on Apple's website in middle school. That's the last time I installed Quicktime that I can remember. I'm honestly curious what purpose it serves today? Is it a web browser plugin or what? I haven't even thought of Quicktime in YEARS.... let alone had a reason to use it...
moox. for a new generation.
I was so excited when I got my iPhone 4. It's old, I know. Everything worked so well.
Now... itunes has changed so much I can barely use it. It's always losing playlists, stopping play because it sees a cloud icon when the downloaded version is right underneath it, etc. Don't get me started about the hidden File Edit menus. My iphone barely works anymore. Browsers slow, maps is a joke, switching tasks takes a while.
The last thing in the world I want to do is update itunes and IOS. Each time it gets more and more unusable, each time the experience stops 'just working'. I won't upgrade either again. Too scared. Too much time to remake all those playlists. Too worried about the lag from the new OS or insanely strange UI of itunes.
It's too bad we can't just stick with a version that works, but this 'one size fits all' approach isn't working great.
Valid question. I used to install Quicktime... 4? On my Pentium 2 MMX 200mhz computer back in the mid 1990's so I could watch movie trailers on Apple's website in middle school. That's the last time I installed Quicktime that I can remember. I'm honestly curious what purpose it serves today? Is it a web browser plugin or what? I haven't even thought of Quicktime in YEARS.... let alone had a reason to use it...
My understanding is that versions of iTunes prior to 10.5 required Quicktime. Quicktime has always been more than a video player -- it's an entire multimedia framework, with APIs for doing a whole host of multimedia playback, editing, and conversion capabilities. It was the main multimedia framework for Mac OS X up until 10.7 (Lion).
iTunes would have used it for both media playback, as well as for transcoding video from various formats/sizes for various Apple devices (iPhone, AppleTV, etc.). Newer versions no longer require Quicktime so far as I'm aware -- however, this article is about people who aren't keeping their software up-to-date, so it wouldn't be surprising to learn that they're still running older OS's and older versions of iTunes.
Yaz
Why would Apple NOT update it's insecure Windows software ? Anyone ?
A more poignant question would be why do users not update their insecure third party Windows software regularly? There is an amazing array of PCs out there that are running pretty antiquated software of third party software. It does not matter how diligently pushes updates, there isn't a damn thing they can do to motivate their user base to update any more often than the user can be bothered which is usually close to never. If the vendor changes the settings of their software update services to apply patches automatically on user's PCs people just start pissing and moaning about having to install updates all the time and a whole bunch of them will disable the auto-update service. Then you get chewed out on Slashdot for not pushing updates. Lather, rinse repeat...
Plus we're tired of being tricked into accidentally downloading unwanted virusscanners (flash), toolbars (java), and whatever other crap they want to bundle. We are tired of running two dozen automatic update tools at all times, all fighting for internet access and all using memory and CPU time. Sure, it's very little and it mostly ends up in swap anyways - but it adds up. And we are certainly tired of having to deal with that crap every time we boot the machine.
It's a great mystery to me why Windows does not have a unified update service (like Windows Update, but also including tools from 3rd parties). It doesn't even have to go through Microsofts servers - just let programs register their own server with the update service, and then let the update service do updates at times when it is convenient to me.
I've solved at least part of this problem by simply not having QuickTime or Java installed. Flash is installed, but only runs on demand (which is actually far less often than you'd imagine). Windows Update I've shut down after Microsoft started pushing spyware and adware as "important updates". So now I run a risk of "hackers". So far they've proven less of a nuisance than actual vendors...
The Java holes that won the award for least secure software ever were in the Java plugin sandbox. Enterprise Java is not using the sandbox.
The credit card stealing holes in big enterprise systems are more likely to be holes in the software handling the credit cards, rather than Java itself.
Do newer versions of iTunes uninstall Quicktime when you upgrade? If not, it seems likely that a lot of people would have it installed for no reason when they could easily reduce the attack surface.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
The same goes for a lot of software - clog your computer with bloatware like Chrome and whatever that I never use.
And at every upgrade the software package asks me to confirm that I agree to the current license version instead of just installing the update in the background silently to ensure that I get the latest security updates.
In addition to that Windows also enforces the UAC to make you confirm that the update installation is permitted. But in many cases this is problematic since it won't help many users that are out there, especially those with limited computer knowledge who either clicks "No" on everything or "Yes" on everything. In both cases it leads to bad results.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
it's just unbelievable, how often flash needs to be updated. i usually disable autoupdates and only install the new version whenever i need it. but still, you can't use the computer for a couple of days without flash getting deactivated by safari because there's a newer version. how many bugs/security holes can one poece of software have?
Many video editing and conversion tools claim that they "require" that QuickTime be installed during installation (although in many cases it's not actually required depending on the individual's specific needs), and then proceed to either download and install the current version or install an almost certainly out of date version from installation media. Since a basic version of a video editing tool is included with most devices with video capable cameras, I suspect this is probably responsible for bumping up the number of QuickTime installs on Windows much higher than it really needs to be, especially given how reticent some Windows users seem to be about installing updates.
UNIX? They're not even circumcised! Savages!
If the vendor has not managed to produce a properly written, secure, bug free piece of software by the 10th attempt, what faith should one have in the 11th. Software updates have lead to bloat, bug tolerance and laziness. If vendors were required to ship working software, rather than anything they liked, we would have less software, but far less low quality software. Oracle, Apple and Adobe have some amazingly well written code lurking in their products, but it is buried under tons of bloated rubbish that should never have been considered fit to release.
John_Chalisque
The problem is the "updaters", and these only exist because windows doesn't provide a centralised update system for applications to hook into.
You end up with a load of background updater processes wasting resources at all times, so they end up getting turned off.
And because the update process happens in userland, unprivileged users (ie most corporate installs) cannot apply the updates or run the updater.
Most corporate deployments won't update these applications centrally because doing so is a painful process.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Another problem is that they are bug ridden heaps of crap that can't even be bothered to follow application guidelines that everybody else was capable of following for over a decade but instead force their own ideal of an interface that only looks good in one OS.
"Wait. Something's happening. It's opening up! My God, it's full of apricots!"
What bloatware does Chrome install?
Chome is actually one of the best apps I've seen for a long time. It installs without admin permissions to the user's local folder. It updates automatically and silently, which while annoying for some nerds it a massive boon for normal users. You never get prompted with new EULAs for any other fatigue inducing stuff like that. It runs at the lowest possible permissions, heavily sandboxed, Security fixes are prompt,
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Right, because you never encounter a non-technical CEO-type person who insist on having his iCrap connected to the corporate network. Nope, never. And they certainly don't ask the supporters to jump through hoops in order their make their bling authenticate against the AD-servers, nope wouldn't happen, ever /sarcasm.
Really, considering my workplace is supposed to be a Windows-only-shop, we spend an inordinate amount of time messing around with dysfunctional Apple-software because boss-types want to be down with the young kids and flash their toys for corporate street-cred. It's a problem.
Because updates are inconvenient and sometimes they contain something else beside the security patches.
Updating is a distraction, even if I am not using the program at the moment. Say, I am watching a movie and Java update pops up. Will I pause the movie to install a newer version of Java? Unlikely. After watching the movie, I will have forgotten about the update. It's even worse with updates that require a reboot. I pretty much never reboot my main PC because I "lose my place". Servers are a bit different - rebooting one only results in some downtime.
I update Firefox more often because Firefox crashes quite frequently, might as well update it.
Te other problem is that updates are not always just security patches. For example, the spy updates for Windows 7 or 8, the Windows 10 nag update and also the occasional BSOD update for Windows. Firefox is an odd example in that its stability alternates with updates: an update makes it (more) unstable, then another update makes it less unstable, and so on.
Oracle has overdid Java security. I only use Java for server management (remote KVM) and with new Java versions I have to click trough multiple security warnings (self-signed SSL cert on server, the applet is old and does not have the needesd security tags, Java version too old) and also add the IP to exceptions. Shouldn't "exceptions" mean "yes, I know it;s insecure, I still want to use it anyway"? Older Java versions have fewer such nags.
A better question wuld be why do software companies produce such buggy software? I do not have to "update" my car (made in 1982), tape deck or radio, unless some component wears out or just fails. Why does software come so unfinished and so full of defects?
Mozilla and Google have solved the update problem in a nice way. They install services that do the updating, but don't run most of the time. When the app detects an update it wakes up the service, which does the installation.
That means that the updater uses zero resources when not actively updating, and because it was installed as a service doesn't need further UAC prompts or admin level elevation to work. In other words, limited users can update.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Users view updates from Apple as risky.
Here is what one can expect with an update to iTunes:
-four or five "yes I agree" click-throughs, one for each service the user hasn't signed up for or ever used
-longer load time and general bloat
-random UI changes that make it an exercise in "what will they think of next" to do basic stuff like sync a phone
-an army of snotty "senior" "helpers" explaining the problem is not a problem, most of whom just don't bother to read
-a SECOND set of random UI changes and feature removals for media organizing, moving or removing stuff like menus and ability to manage play lists, some of which represents hours and hours of tinkering with it.
-"Careful, don't do that" advice from people who lost their whole library, or had to reinstall and couldn't find the library on the hard drive again.
For Quicktime, it's about the same, only the user doesn't use the program much beyond obscure or old porn
Apple has a BIG PROBLEM trying to push their UI bullshit into an environment where their UI bullshit stands out as particularly retarded. There's NO FUCKING REASON to remove the standard word based drop down across the top of the program. More space? People already have more screen space (or second, or third screens) than they know what to deal with. Doesn't look good to emo-fags? How about a toggle to turn it off? (which leaves it on by default)
The actual risks for a slight chance for a security exploit are meaningless compared to the guaranteed fist-smashing-keyboard frustration of a simple update. I have actually helped users disable updates from Apple because they were so afraid of said bullshit or their old iPod or iPhone suddenly not working with it.
If Apple wants to get people to update on Windows, they need to stay within the expected design parameters of Windows better and just let the program look different on different platforms.
Do newer versions of iTunes uninstall Quicktime when you upgrade? If not, it seems likely that a lot of people would have it installed for no reason when they could easily reduce the attack surface.
Do you really think that many people have gone that long without having to reinstall Windows?
And in reply to the sibling AC comment, while I'm here:
Unless you have Linux distro-like package management, there's no easy way for the iTunes updater to know whether Quicktime is used by some other application.
Of course there is. Programs get to register to say that they are using a shared DLL. You check to see if your DLL is marked as being in use, and if not, then you uninstall.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
I'm gonna go ahead and call this flamebait. I'm no fan of Apple but that's more about their business practices and less about the quality of their hardware and software... but I'm struggling to blame Apple for people not keeping quicktime updated. Who the F@CK uses quicktime? I know back to the future day has passed, so clearly we aren't travelling back to 1998, so wtf is quicktime even doing on most peoples machines?
Which is fucking great until someone takes over your privileged service that's running in the background.
If the vendor has not managed to produce a properly written, secure, bug free piece of software by the 10th attempt, what faith should one have in the 11th
Name one piece of software that is over 50,000 lines of code and is bug free after any number of attempts.
If vendors were required to ship working software, rather than anything they liked, we would have less software, but far less low quality software
We would have far less software. seL4 is the most complex piece of formally verified code and is around 10,000 lines of code. NICTA estimates that the cost of developing it is around 30 times the cost of developing the equivalent software with best-practice feature and regression testing and code review. The cost of making a nontrivial modification to seL4 is almost as great as the cost of writing it in the first place.
Oh, and when seL4 was open sourced, it took under 24 hours before someone found an exploitable security hole in it, because their formal verification hadn't verified the property that the attacker was looking for.
I am TheRaven on Soylent News
That's not true for Apple's update. It creates a scheduled task for Windows Task Manager. Windows Task Manager launches the update checker I believe once every 24 hours. The updated is not constantly in memory.
Personally, I don't keep iTunes up to date on my Windows PC because I never use it. I back up my phone using iCloud, pictures automatically get downloaded to my computer using the iCloud control panel, etc.
My car was built properly the first time, it did not need continuous replacement of parts because the original ones had design/manufacturing defects. Due to being mechanical. some parts did wear out or failed in the years after the car was made though.
And if I replaced the tape deck with a radio that had internet connection, while the radio could be hacked, the rest of my car would not be. So why in modern cars you can use a hacked radio to hack the rest of the car?
Software, on the other hand, especially current one, is full of design/manufacturing defects - Microsoft was fixing Windows XP for 13 years and still did not manage to fix all defects. Also, unlike my car, software is not mechanical, it should not wear out or rust.
Being connected to the internet or not is not the reason why modern software is buggy, lazy programming is. After all, you can prevent all buffer overflow attacks by checking the length before writing to the buffer...
I understand open source software being buggy (since it is given away for free and usually is work-in-progress), but commercial software like Windows should not be buggy. However, seems that Linux is more secure than Windows...
https://en.wikipedia.org/wiki/...
True, however that is a very special case as TeX is still actively supported, yet hasn't had a new feature added in over 25 years. I know it's moving goalposts slightly, but name a piece of software over 50,000 lines of code which is bug free and actively being enhanced. Or to look at it another way, TeX only reinforces GP's point, that it takes 25 years of patches without any feature enhancements to make a large codebase bug-free.
This was why I stopped using Apple software on Windows in general. I got tired of having it download a bunch of superfluous, unwanted things (like Bonjour), never mind just how slow and awful iTunes for Windows was.
But it's definitely not worth leaving buggy, outdated software on your machine. If you care about it being secure, then either update it, with all the good and bad, or get rid of it.
TeX may be bug free, but that's only because it is a small VM that does very little. If you actually want to use it, you need to use a load of other packages, which do contain bugs.
I am TheRaven on Soylent News
From TFS, the biggest infection vector isn't "Apple", it is simply users who have failed to update.
Clickbait nonsense. Dice. But I repeat myself.
I've fallen off your lawn, and I can't get up.
The Apple HIG was around long before Windows was even released, much less 10 years later when Microsoft formalized the Windows HIG.
Apple builds UI's to their own HIG, and builds their software to conform to their HIG across any platforms they port it to.
Microsoft builds their UI's to the port's platform's HIG. (Most other companies do this too.)
That's why you get retarded shit in the Windows version of iTunes, like the [Cancel] [OK] button sequence instead of the Windows standard [OK] [Cancel] sequence. The Windows HIG specifies that they should be [OK] [Cancel] and OK should be the default action on the form. This allows keyboard users to tab out of the last form field and "click" the button with the spacebar without even reaching for the mouse. The Apple HIG specifies those buttons in the opposite order because right-handed mouse users (that's 75% of the user base, generally speaking) find it easiest to click the right-most button in a set of buttons, making the OK button the easiest to reach. And that's just one example of piddly little differences between MacOS (and Mac OS X) and Windows HIG's.
You can argue (and argue, and argue...) that Apple's way is better or worse or whatever. But don't argue that Apple's way wasn't around first. It was. It was by far the first formal HIG of any of the modern OS platforms. A better argument would be that Apple needs to follow the "when in Rome" principle, and build UI's to the platform's HIG rather than their own in-house HIG.