Blog

Macworld Security Article Up- The Truth About Apple Security

By Rich

Right when the Macalope was sending along his take on the recent ComputerWorld editorial calling for the FTC to investigate Apple, Macworld asked me to write a more somber take. Here’s an excerpt:

On May 26, Macworld republished a controversial Computerworld article by Ira Winkler suggesting that Apple is “grossly negligent” when it comes to security, and should be investigated by the Federal Trade Commission for false advertising. The author was motivated to write this piece based on Apple’s recent failure to patch a known Java security flaw that was fixed on other platforms nearly six months ago. While the article raises some legitimate issues, it’s filled with hyperbole, inaccurate interpretations, and reaches the wrong conclusions. Here’s what you really need to know about the Java situation, Mac security in general, and the important lesson on how we control Apple’s approach to security.

The real failure of this, and many other, calls for Mac security is that they fail to accurately identify those who are really responsible for Apple’s current security situation. It isn’t security researchers, malicious attackers, or even Apple itself, but Apple’s customers. Apple is an incredibly successful company because it produces products that people purchase. We still buy MacBooks despite the lack of a matte screen, for example. And until we tell Apple that security will affect our buying decisions, there’s little motivation for the company to change direction. Think of it from Apple’s perspective—Macs may be inherently less secure, but they are safer than the competition in the real world, and users aren’t reducing what they spend on Apple because of security problems. There is reasonable coverage of Mac security issues in the mainstream press (Mr. Winkler’s claim to the contrary), but without demonstrable losses it has yet to affect consumer behavior.

Don’t worry- I rip into Apple for their totally irresponsible handling of the Java flaw, but there really isn’t much motivation for Apple to make any major changes to how they handle things, as bad as they often are.

No Related Posts
Comments

Great article on TidBITS—I think the hardest one of the five listed will be “Manage Vulnerabilities in Included Third-party Software”.  Only because I think, with regards to FOSS, it’s hard to maintain your own patchset and audit/validate that after submitting those they are in the next release from the maintainer and that they continue to be in subsequent releases.

Even with all of this stuff in place there’s no guarantee on timelines even then…  Look at the DLL load hijacking Aviv Raff discovered in 2006.  It was *just* patched this April.

http://aviv.raffon.net/2009/04/14/ALaCOREImpact.aspx

—windexh8er

By windexh8er


Agreed- I have high hopes for Leopard, and some recent events give me a bit of hope things will improve. Macs are safe, if not the most secure, and I just want to keep it that way.

I have an article on Apple’s security program going out on TidBITS a little later today… I think they have a real opportunity to improve things and create a safe computing experience for the long haul.

By Rich


My favorite analogy Winkler uses is the one about throwing a gun on the playground and let kids figure out how to load it. I’m not going to say there are no bullets or that it’s even a hard gun to load… The problem is that there’s not many bullets to begin with. That may change but here’s my take on the situation. Apple is Apple is Apple-as-they’ve-always-Appled. Apple is very strategic in playing the game of chess that is selling platforms (i.e. iPod + iPhone + Mac + OS X = Platform). If one (especially if you’re the President of Internet Security Advisors Group) hasn’t figured that key piece out yet the boat has left you on the island long, long ago. Back to the point at hand though.

It is in my limited scope of insight to believe that Apple has still not developed an internal framework around patch strategies with specific regards to security. Apple has skipped through this thus far, but Apple is a creature of habit when it comes to the way things are done. They don’t change things that work (internal motto for most everything Apple?). Sure, Apple tries a new spin on things if they see it as a profitable endeavor. Apple is consistent. In the case of patching OS X to published exploits, they are consistently slow. They weigh the risk, the risk is generally low and then they just roll the update into the next planned patch. If however I came out with an exploit that, when unleashed, would wipe out OS X to the point of no return and made it simplistic enough for any rock star script-kiddie-wannabe to use they may make an exception to that process. If, and only if, my exploit will end up on CNN, MSNBC, FOX, etc. putting Apple in a dim light and actually affect a huge portion of the Apple population negatively Apple will just do their thang—business as usual. What about FreeBSD—is the porting project of Sun Java that FreeBSD supports appropriately patched? Doesn’t look like it because all of their docs are around 6 update 3 (I could very well be wrong here—I did 5 minutes of research). I know “Apple” to Oranges here, right? But is it? Is the only reason that we poke at Apple because they are highly successful and visible as a profitable company where as many, many, many businesses run FreeBSD in the data center for free (the point here is how many other known exploits like this exist in highly deployed, but low visibility platforms—platforms that are probably more sensitive to things like oh: PCI, GLBA, HIPAA, SOX, etc..). There’s no fiscal impact to the FreeBSD project, and they’re not running smug commercials either. But at the end of the day if Winkler is really about “security” then he’d be lambasting any vendor he could find. Instead—it’s Apple and Apple alone. Because, he really wants to make users aware, or he has other fiscal motivations for running negative press?  Ultimately I don’t care… Reading “Computer World” is like watching FOX news for me, there’s just no point.

Off topic slightly again here so let’s refocus. Apple is a creature of habit—we have substantial evidence to back that up. They’re consistent in remaining secretive *until* they want to announce something, they’re consistent in hardware design, they’re consistent in innovation, they’re consistent. That brings me to Snow Leopard. I, firmly, believe that with Snow Leopard we will see a new consistency come into place. Apple is running BAU for now with Leopard, but when the snow flies later this year a new process will emerge. Don’t get me wrong here, Apple will not be shouting from every social media outlet when, why, and how they’re going to respond to that next critical patch, but I feel they will have a more formal process. If Apple is smart they’ll have that track to better handle issues in a more timely manner. Will it shut people up like Winkler who are out on a campaign?  Nah—Apple will never be public enough to appease that much ignorance.

At the end of the day patches in systems will be overlooked or just blatantly ignored for years to come. Cisco, Microsoft, Apple, Google, etc., they all do it—some more than others.  Is it right? No. Would I like to see it change? Of course. Blogs on Computer World obviously don’t work.  What we need is a very visible, easy to understand, metrics based outstanding exploit repository.  Something that is not vendor supported and unbiased.  Outlets like Secunia have the resource and history to do this—but the focus is not the same.  This leads to a imaginary report card we try to generate from current analytics.  Until we can measure and directly compare there will be no way for the general population to get a fair perspective.  Winkler’s types of articles just talk about the same thing that happened last month with that other vendor.  But after reading the article it seems as more of a personal vendetta than anything…

FTC—give me a break Winkler, go back to investigating the Russian mafia.

By windexh8er


If you like to leave comments, and aren’t a spammer, register for the site and email us at info@securosis.com and we’ll turn off moderation for your account.