×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Apple Uncommunicative About Security Holes

pudge posted more than 9 years ago | from the raising-you-one-worm dept.

Security 573

blackmonday writes "Kieren McCarthy of Techworld argues that Mac OS X is rife with security holes, and that Apple is doing a 'half-hearted' job of patching their operating system security holes, and has a 'strange habit of pretending a big problem is of no significance.' As a Mac user I find this an intriguing article in light of the Sasser Worm and its recent variants." Despite the article's assertions, no evidence of widespread security problems, or lack of effort to solve them, is offered. The only real question is Apple's lack of communication with the public in the nature of the problems.

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

573 comments

ZING! (-1, Troll)

Anonymous Coward | more than 9 years ago | (#9068459)

Suck a Boot!

Reasons why... (4, Informative)

BWJones (18351) | more than 9 years ago | (#9068472)

Well, let's see: If Apple has been uncommunicative about the presence (or absence) of any security holes, it is simply because they would rather not publicize the presence of particular holes. It's good policy for their OS while also maintaining an open source presence with Darwin that allows for public scrutiny. It should also be noted that Apple is also working towards approval of certain security ratings from assorted groups and governmental agencies, but they are not publicizing that either. They would rather maintain a low profile and have good reasons for doing so. After all, the core of OS X, the NeXT OS has a long history of a presence in intelligence and security circles (NSA, CIA, FBI etc...).

I read the linked article and was absolutely stunned at how superficial the evidence was given the claims being made. If one is going to make such statements, one would think there would be a little more substance, but hey the article certainly has garnered some attention, so perhaps that was the sole goal of the author? Or if one were likely to believe in conspiracies, one might guess that the author was put up to writing the article by a potential competitor? In science, we have to publish "disclosures" that establish corporate or political linkages. Perhaps it is time for the news media to do the same?

Re:Reasons why... (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#9068492)

"I read the linked article and was absolutely stunned at how superficial the evidence was given the claims being made."...And you own What type of Mac?

Re:Reasons why... (5, Interesting)

Anonymous Coward | more than 9 years ago | (#9068495)

If Apple has been uncommunicative about the presence (or absence) of any security holes, it is simply because they would rather not publicize the presence of particular holes.
Because we all know Security by Obscurity is the best approach. Funny, Microsoft gets attacked at slashdot for taking too long to patch an issue, and Apple gets a free pass for ignoring them?

Re:Reasons why... (5, Informative)

talaper (529106) | more than 9 years ago | (#9068551)

Funny, Microsoft gets attacked at slashdot for taking too long to patch an issue, and Apple gets a free pass for ignoring them?

you're statement is a bit misleading - Apple doesn't ignore security holes, they fix them quickly and quietly before anybody realizes where they are. that's a BIG difference.

Re:Reasons why... (5, Funny)

Anonymous Coward | more than 9 years ago | (#9068618)

You are correct sir! It's not like Microsoft released the patch for the Welchia worm a month before the worms release or anything!

Re:Reasons why... (4, Insightful)

CuriHP (741480) | more than 9 years ago | (#9068619)

Security by obscurity is bad as a long term approach. However, it's not necessarilly a bad thing during the day/week/month it takes you to write and test the fix.

It would be a bad idea to protect your house by trying to keep the fact that your front door's lock is broken a secret. But, it also wouldn't be a good idea to put a giant sign out advertising that fact while you were waiting for the locksmith.

Re:Reasons why... (5, Informative)

neuroticia (557805) | more than 9 years ago | (#9068709)

Wrong analogy. Your analogy applies more to the single user advertising "I have an unpatched system!"

It's more along the lines of a Gym realizing that their locksmith put identical locks on every single locker in the locker room. They can say "Oh. Crap. There's a problem, let's tell our users so that they can decide to use an unsecure locker or not." Or they can say "Maybe no one will notice, the locksmith will be here in a couple of hours anyway."

Still not the perfect analogy, but when you have a large group of people that are operating under the assumption that something is secure, and you don't tell them so that they can take steps to modify their behavior until the security is increased... It's like knowing there's a potential terrorist attack pending, but not telling anyone about it so that they can avoid public areas.

If there's a vulnurability with something, I prefer to know so that I can avoid a particular action until there is a patch. If I don't know, I go on blissfully unaware and may not even download the patch right away as it becomes available. (Especially since Apple has unusually large patches sometimes.)

-Sara

Re:Reasons why... (0)

Anonymous Coward | more than 9 years ago | (#9068743)

Aren't passwords security by obscurity?

Re:Reasons why... (5, Funny)

duffbeer703 (177751) | more than 9 years ago | (#9068664)

You obviously don't understand the fact that Steve Jobs is a genius. I once witnessed Steve turn a barrel of rocks into gold bricks. The man is amazing.

OS X holes aren't problems, but opportunities for Mac users who "Think Different." to explore the creative possibilities of their Mac from a new, unique and artful perspective.

Apple is a corporation that cares about and nurtures the creative class of our society. "Security" is just another word for mindless oppression by the man.

Microsoft is just and evil corporation in it for the money, and they put holes in their software to sell more stuff!

Re:Reasons why... (5, Interesting)

gunnk (463227) | more than 9 years ago | (#9068665)

Because we all know Security by Obscurity is the best approach. Funny, Microsoft gets attacked at slashdot for taking too long to patch an issue, and Apple gets a free pass for ignoring them?

No, that's NOT what is being discussed. Apple tends to patch very quickly and quite regularly. However, the information about exactly what is being patched is usually limited to the programs or processes being patched (Safari, Finder, etc.). The discussion is whether or not Apple should be communicating more completely the nature of the security problems it is fixing.

As a geek I'd like to know exactly what the problems were, but that's strictly to satisfy my idle curiosity. I have to admit that it may be better that the details aren't published. I can live without the details (i.e.: a buffer overflow in the XYZ module), but others may feel that the exact exploit *should* be announced. Since I don't have access to the rest of the code, I don't see any reason we should be given the details of a particular patch.

Anyway, the point is that it's not about Apple ignoring or responding to holes: it's Apple's publication of the nature of the holes that is at issue here.

Re:Reasons why... (5, Interesting)

daviddennis (10926) | more than 9 years ago | (#9068533)

This is written by a guy who either still writes for the Register, or used to do so. I don't think he's a Microsoft shill, but I think as a journalist he wants stuff to report about, and is probably irked Apple's not feeding him the dope. It's not by accident news is called dope by the press, you know; it's addictive, like food.

That being said, Apple seems pretty good at sending out frequent security updates when needed, and it's dead easy to keep a system patched. Until I see something escaping into the wild, I'm not going to be too concerned. But I will avoid tempting fate by keeping my system patched.

D

Re:Reasons why... (0, Insightful)

duffbeer703 (177751) | more than 9 years ago | (#9068555)

Apple apologists are the most amazing bunch of people that I have ever encountered.

When it was revealed the Apple sold a $300 super-walkman that needed a $100 exchange for a refurbished iPod & battery after a year, the Appleheads insisted that it was perfectly ok. Hell, AAA batteries would cost more!

Now the some bleating shit about security patches:
"Apple is not revealing exploits to protect us"

Would would your reaction be if Steve Ballmer got up and said "patches do not matter, we are withholding them for your protection"? It would be a vertitable orgy of Microsoft denunciations.

The argument "Well, the CIA used NeXT, so OSX is secure" holds no water either. The CIA used alot of Sun boxes from that era as well. Solaris 2.5/2.6 and SunOS were practically wide open from a security POV. If you stuck a gold disk Solaris 2.6 box on the internet, it would be rooted in minutes.

I hear Steve Jobs is going to ask you to drink the kool-aid! Get your cup ready!

Re:Reasons why... (-1, Troll)

Anonymous Coward | more than 9 years ago | (#9068636)

Duffbeer703 here is obviously a shameless queer hater, a homophobe of the worst kind. Why else would he pooh-pooh an overpriced mp3 player and OSX, made by the gayest company on the face of God's green earth?

So as a gay Apple apologist I say...

MOD PARENT DOWN!

Re:Reasons why... (2, Informative)

Beer_Smurf (700116) | more than 9 years ago | (#9068638)

It doesn't take the special insite of an "Apple apologist" to recognise this article as complete tripe.
All you need to do is RTFA, Oh, Wait..........., never mind.

Re:Reasons why... (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#9068730)

It doesn't take the special insite of an "Apple apologist" to recognise this article as complete tripe.

I've always found it amazing that people who can't even spell a word as commonly used as "insight" feel they have a right to give their opinion about somebody else's writing.

Why don't go finish primary school before you open your cake hole?

Re:Reasons why... (-1, Flamebait)

crackshoe (751995) | more than 9 years ago | (#9068727)

1) the 300 dollar super walkman's batteries don't always fail within a year. it depends highly on usage. and obviosuly, from the amazing number of them sold, most people don't mind that much. Ya know, batteries die. it happens. If its under warranty, you get it fixed for free. 2) I'm sorry that you were molested as a child. But if you're going to take an obviously skewed, biased (wait... isn't news supposed to be objective?) article as god's honest truth, theres a problem. APple and windows does things differantly.I prefer apples model, personally.

Re:Reasons why... (4, Interesting)

Rosyna (80334) | more than 9 years ago | (#9068568)

And FWIW, The Sasser worm seems to ONLY exist because MS fixed an exploit in lsass then immediately documented exactly why it happened, where it happened, and basically how to exploit it.

What's wrong with just saying, "We fixed an exploit discovered by someone at some company in this component of the operating system." ? Need bugfixes also give information on exactly how to reproduce the bug? Open the farthest right menu so it becomes sticky, move the mouse to the right of that menu in the menu bar (the menu will close), press the right arrow key on the keyboard.

Re:Reasons why... (3, Interesting)

sydb (176695) | more than 9 years ago | (#9068682)

There's absolutely nothing wrong with the approach you suggest, and I would also advocate it.

But there's no point pretending that because you've kept it a secret, no-one's going to find out.

So you have to be prepared for the worst, even if you don't ask for it.

security holes on a BSD-based system??? (-1, Flamebait)

wmeyer (17620) | more than 9 years ago | (#9068481)

Gee, and after all we've been told about Windows being the only insecure platform.... who'da thunk it?

Re:security holes on a BSD-based system??? (5, Insightful)

Kenja (541830) | more than 9 years ago | (#9068530)

"Gee, and after all we've been told about Windows being the only insecure platform.... who'da thunk it?"

Windows is insecure. So is MacOS X, Linux, BSD, Solaris etc if run by an incompetent admin. One system I had to fix was a hardened install of Solaris that was running VNC server without a password because the local admin was too lazy to walk over to a terminal to type commands. However, by the same token. Windows, MacOS X, Linux, BSD, Solaris etc are all secure if run by an admin that knows what they are doing.

Re:security holes on a BSD-based system??? (2, Insightful)

BFaucet (635036) | more than 9 years ago | (#9068699)

Hear hear! Well spoken, Bruce!

I think what really matters is how secure an OS is when installed with the defaults. Windows is completely open... At least all the Linux installers I've used asks the user to create a root username and pass, then tells the user that they shouldn't usually log in as root and gets them to create another user.

Re:security holes on a BSD-based system??? (1)

Kenja (541830) | more than 9 years ago | (#9068749)

"Hear hear! Well spoken, Bruce!

I think what really matters is how secure an OS is when installed with the defaults. Windows is completely open... At least all the Linux installers I've used asks the user to create a root username and pass, then tells the user that they shouldn't usually log in as root and gets them to create another user."

True enough, Windows out of the box has more services running that can cause problems. However I've yet to see a "server" that was an out of the box install. As soon as you start selecting which packages to install you are undergoing the task of hardening the system, this can be done on most oporating systems to at least some degree. I dont find it too different to block ports at the firewall rather then at the service level. Just think of it as layer 3 vs layer 4 switching.

Immanuel Kant was a real pissant
Who was very rarely stable,
Heidegger, Heidegger was a boozy begger
Who could think you under the table,
David Hume could out-consume,
Wilhelm Freidrich Hegel.
And Wittgenstein was a beery swine
Who was just as schloshed as Schlegel.
There's nothing Nietzche couldn't teach ya
'Bout the raising of the wrist.
Socrates himself was permanently pissed.
John Stuart Mill, of his own free will
On half a pint of shandy was particularly ill.
Plato, they say could stick it away,
Half a crate of whiskey everyday.
Aristotle, Aristotle was a bugger for the bottle,
Hobbes was fond of his dram,
And René DesCartes was a drunken fart
"I drink, therefore I am."
Yes, Socrates himself is particularly missed,
A lovely little thinker but a bugger when he's
pissed.

So...where's the news? (2, Interesting)

paraphase (776198) | more than 9 years ago | (#9068564)

As long as there are operating systems and, likewise, semi-to-fully intelligent people who look them over..there will always be, in some form,..."holes". Any system must be absolutely isolated from any outside sources of activity to even be viewed as semi-secure. My PC with my own OS in the middle of my padded room connected to nothing but cables to my inverter may be secure...but the fella drooling in the corner has given me some reason for concern....

A strategy (1, Insightful)

The_Mystic_For_Real (766020) | more than 9 years ago | (#9068482)

It seems possible that they intentionally keep quiet when they find a security hole. As long as your users get your patch, no good can come of more people knowing about the security hole.

Re:A strategy (1)

crackshoe (751995) | more than 9 years ago | (#9068512)

I recently installed win2k on two of my boxes. It took me nearly 3 hours to pull down every critical windows update, and a half dozen restarts. I do a clean install of OS X on any of my macs, software update pops right up, runs, and actually isn'ts a pain in the ass ( hahaha. you can only install windows media player 9 in its own update. you can cannot combine. try it. i crush you ). I forget the default for software update, but it checks periodically, and inobtrusively hassles you until you do it. Windows? who updates windows?

Re:A strategy (2, Insightful)

Anonymous Coward | more than 9 years ago | (#9068514)

Yes, security through obscurity. A well thought out and totally effective strategy.

Not.

Re:A strategy (2, Funny)

Anonymous Coward | more than 9 years ago | (#9068573)

Not.

Wayne's World, Wayne's World, party time, excellent!

p.s. find a new method of sarcasm!

Re:A strategy (2, Insightful)

Neil Blender (555885) | more than 9 years ago | (#9068624)

Yes, security through obscurity. A well thought out and totally effective strategy.

Not


And I 'not' your 'not'. Patching a hole quietly is not security through obscurity.

Wow, this is pointless (4, Insightful)

PedanticSpellingTrol (746300) | more than 9 years ago | (#9068483)

The whole thrust of the article seems to be "There might be dozens of holes in OSX, how do we know?". Seems making an argument like that, they shouldn't be comparing it to another proprietary system like Windows but instead Linux or *BSD. And then they mention a hole in Apache? WTF? Not Apple's problem.

Re:Wow, this is pointless (1, Insightful)

Anonymous Coward | more than 9 years ago | (#9068541)

When there's a vulnerability a nobody knows about it, is it still a vulnerability?

Sorry, I'm getting a bit philosophical about this.

Re:Wow, this is pointless (4, Insightful)

neuroticia (557805) | more than 9 years ago | (#9068545)

It is if Apple ships with a version of Apache that is exploitable and does not issue an Average-User-Enabled (ie: no compiling necessary) patch within a decent amount of time. Apple including server software with an OS that goes out to people who have no idea what a server is, or the impact of running one.. does make it their problem.

Re:Wow, this is pointless (5, Insightful)

HeghmoH (13204) | more than 9 years ago | (#9068558)

And then they mention a hole in Apache? WTF? Not Apple's problem.

It becomes Apple's problem when they ship a copy of Apache with every copy of their OS. It may not be their fault, but it's certainly their problem.

Re:Wow, this is pointless (2, Funny)

killjoe (766577) | more than 9 years ago | (#9068680)

DO they ship apache with every copy of mac os x?

Re:Wow, this is pointless (5, Informative)

Elwood P Dowd (16933) | more than 9 years ago | (#9068737)

DO they ship apache with every copy of mac os x?

Yes. The configuration is difficult to deal with, but it certainly ships on every OS X machine.

The long story is that you have to go to the "System Preferences" application, click on the "Sharing" panel, and check the box marked "Personal Web Sharing".

I realize that had a lot of "tech" "jargon", but that's how you configure Apache on Mac OS X.

Re:Wow, this is pointless (1)

blackmonday (607916) | more than 9 years ago | (#9068748)

Yes it ships with Apache, but it's turned off by default. Actually, pretty much every network service is off unless the admin turns it on. By the way, I finally got my second story submitted!

Re:Wow, this is pointless (1)

slive (21582) | more than 9 years ago | (#9068590)

Well, since Apache is distributed as part of OSX, it is their problem to make sure OSX gets the fix.

But the problem that they allude to in Apache is really trivial and not dangerous at all in the vast majority of cases.

If the other problems are of similar severity, then Apple is entirely correct to down-play them.

RTFA (-1)

Anonymous Coward | more than 9 years ago | (#9068672)

The whole thrust of the article seems to be "There might be dozens of holes in OSX, how do we know?"
He specifically mentions the problems - did Apple release these patches just for fun?

The thrust is, THERE ARE MANY CRITICAL FLAWS THAT GO UNPATCHED FOR A SIGNIFICANT AMOUNT OF TIME. In addition to that, they get downplayed by Apple.

Moderation is out of control, as with any Apple-related story. Do your worst, -1, not a fanboy, and +4 for PST, idiot shill who didn't even RTFA and knee-jerked a defense of Apple. Fuckers.

Re:Wow, this is pointless (2, Informative)

baryon351 (626717) | more than 9 years ago | (#9068712)

The whole thrust of the article seems to be "There might be dozens of holes in OSX, how do we know?".

I don't think there's anything truer than "There are dozens of holes in OSX". Also "There are dozens of holes in Windows" and "There are dozens of holes in Linux - pick a distro any distro". You only have to look at the number of patches released for ALL operating systems to see the truth in that. Some OSs will be worse than others and have more exploited holes, that's an argument for another time.

Those holes aren't a dramatic problem, until they're found and IGNORED by a vendor. That's all there is to it, not whether a company is uncommunicative. I'd be willing to bet that as soon as Apple became aware of its AFP problems, work began on fixing the problem. I'd rather see a best effort is made towards fixing the problem rather than release press release after press release, SCO style.

Of course, openness is always admired and it would be a nice thing to know just what's happening with a fix for an exploitable hole, but that's a little less important than getting a well written patch out for the hole.

And now, it IS patched. fixed. Any default OSX install is going to have already alerted its owner to the existence of the fix.

why talk about problems? (0)

Anonymous Coward | more than 9 years ago | (#9068486)

I thibnk that it would be in Apple's best interests to quietly eliminate security issues before anyone tries to exploit them. Apple is about solutions, right?!

Duh (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#9068493)

apples can't talk.

call me (-1, Troll)

Anonymous Coward | more than 9 years ago | (#9068498)

pudge writes: no evidence of widespread security problems, or lack of effort to solve them, is offered.


pudge, do me a favor and call me when you think of some evidence that could show that lack of effort.

Slashdot fanboy bias (-1, Troll)

Anonymous Coward | more than 9 years ago | (#9068499)

Pudge, no amount of rationalizing can excuse Apple's behavior. Why is it okay for Apple to be secretive about vulnerabilities but not Microsoft?

Re:Slashdot fanboy bias (2, Flamebait)

Klerck (213193) | more than 9 years ago | (#9068516)

Because less than 1% of the total market share of consumer PCs is inconsequential!

In short: they don't matter.

Re:Slashdot fanboy bias (3, Insightful)

falcon5768 (629591) | more than 9 years ago | (#9068563)

because Apple is reparing them, just not telling people untill the hole is repaired unless it is a major vulnerability (the password one a year ago comes to mind) That way WHILE they are making a patch people arnt codeing to exploit the hole.

Microsofts policy is the holes dont exist, Apples is they exist and when we find them we fix them.

Re:Slashdot fanboy bias (0)

Anonymous Coward | more than 9 years ago | (#9068617)

Winner of the most ass-kissing Macinista post of the day.

Microsoft is just as guilty (0)

Anonymous Coward | more than 9 years ago | (#9068501)

Microsoft is just as guilty and then some. They try to hide these things from the public until they are an absolute threat. Mac users aren't as abundant as windows users, so the base for people finding these holes is much smaller.

Keeping quiet makes perfect sense to me! (4, Interesting)

Txiasaeia (581598) | more than 9 years ago | (#9068502)

Think about it: if Apple keeps quiet about the massive and widespread effects of viruses on their OS, the benefits are:

-Less damage to the Apple brand
-Less desire for virus writers to write viruses for Macs -- if it's not widely covered in the media, then how do you know if your virus works? No bragging rights == no desire to make such viruses
-More security - if you don't publish holes but quietly fix them, then the chances of script kiddies (biggest cause for net viruses according to a study I read a while ago) exploiting such holes is much, much less.

Of course, it sucks from an end-user viewpoint, but *only* if such a virus actually infects your computer!

Re:Keeping quiet makes perfect sense to me! (0)

Anonymous Coward | more than 9 years ago | (#9068594)

"massive and widespread effects of viruses on their OS" What viruses?

Re:Keeping quiet makes perfect sense to me! (4, Interesting)

neuroticia (557805) | more than 9 years ago | (#9068651)

Benefits of letting your users know:

1- They will be aware that their OS isn't perfect. Healthy paranoia is essential to running a system that is secure. If you're not healthily paranoid... "That update? I'll download it later. First I'm gonna download this latest and greatest 3D Game and give it a go."

2- If they are aware that there is currently a vulnurability for... Safari, they have the option of using an alternative browser until the vulnurability is patched. Quicktime? They're aware there is a problem, and put off on downloading quicktime from unknown sources for a while. (Brittney Spears porn? That can wait until a patch is out!)

Bottom line- If Apple DOES NOT let their users know about a vulnurability and nothing happens--no biggie. If Apple knows about a vulnurability and DOES NOT let its users know, and something does happen.. Boom, Apple's got a virus, or a remote root exploit, and everyone knows about it. If Apple says "We knew", then they're guilty of not informing their customers. If Apple says "We didn't know", then they're guilty of not knowing how to secure their OS, and not keeping on top of things.

Apple's got a small marketshare that they're trying to increase, and they're trying to burst into a new market where people are still skeptical. Covert cloak and daggar "security by obscurity" is never a good thing, and in this market it will only alienate. It's MUCH better for Apple to say "We have a vulnurability... And three hours later we have a patch."

-Sara

Mac owners... (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#9068504)

...spend their time worrying about HIV.

Re:Mac owners... (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#9068537)

LOL! Funniest /. comment I've seen all day

Just keeping it low key (1)

rms_nz (196697) | more than 9 years ago | (#9068505)

I would say that Apple are working on the information behind the scenes but keeping quiet about it to keep it more low key.
As soon as you making the public more aware then you'll probably get a lot more "kiddie hackers" trying to show off...

Security through obscurity ? (1, Insightful)

CrustyBread (762569) | more than 9 years ago | (#9068506)

>>Well, let's see: If Apple has been uncommunicative about the presence (or absence) of any security holes, it is simply because they would rather not publicize the presence of particular holes. In other words security through obscurity ? Who does that remind you of? And how successful has that policy historically been ? hmmm...

This could be pretty serious (5, Funny)

Anonymous Coward | more than 9 years ago | (#9068507)

What people fail to realize is that there are literally hundreds, if not thousands, of people own Macs and many of them are now connected to the Internet.

Imagine the havoc an OSX based worm would wreak at an art school or a large interior design firm. This kind of stuff needs to be taken more seriously by Apple.

Re:This could be pretty serious (2, Funny)

Kenja (541830) | more than 9 years ago | (#9068550)

"Imagine the havoc an OSX based worm would wreak at an art school or a large interior design firm."

It could delete all dem perdy pictures!

Re:This could be pretty serious (1)

BK425 (461939) | more than 9 years ago | (#9068599)

mod'd funny... 'kay. But those art schools do actually have internet connections. And, actually, Mac users to have internet fora into wich they can gripe including mainstream medai connected forums. If this were happening it's reasonable to assume those forums and media would be abuzz about it. Perhaps this is just more M$ FUD. BK425

Re:This could be pretty serious (1)

killjoe (766577) | more than 9 years ago | (#9068701)

A dialog box would pop up asking for the root password. At that point one presumes the user knows enough not to type it in.

If the user is too stupid to actually give permission the application to mess with the system apple is not responsible.

Re:This could be pretty serious (2)

System.out.println() (755533) | more than 9 years ago | (#9068725)

A dialog box would pop up asking for the root password. At that point one presumes the user knows enough not to type it in.

You would HOPE so.... This has proven to be a very unreliable strategy in the past though.

Poorly thought out, badly written sensationalism. (5, Insightful)

Raindance (680694) | more than 9 years ago | (#9068513)

I won't say that maybe Apple isn't doing all it could on security holes- I will mention that I've never heard of a mac worm, a root exploit that's actually been carried out against a mac, and so forth. But maybe there's some sort of story about Apple being a little behind on patches occasionally.

However, with all due respect to Techworld and the author, this is really a pathetic attempt at a story. Biases half-truths, no principle of charity (regardless of Apple's good record of *actual* security exploits- not the whole story, but a major part of it) with a comparison to Windows security where somehow Microsoft comes out on top, no hard figures, a poor understanding of security as a whole, and, though it may be a low blow, not very good prose (it seems rushed- i.e. one statement is "Apple's half-hearted effort to these holes can be found here." There's really no proof (hard or soft) for any of the assertions in the article.

In conclusion, there's really really nothing to see here.

RD

Re:Poorly thought out, badly written sensationalis (0)

Anonymous Coward | more than 9 years ago | (#9068685)

You can root any Mac with nothing more than a DHCP server. This is by design, according to Apple, and will never be fixed.

Re:Poorly thought out, badly written sensationalis (3, Insightful)

mst76 (629405) | more than 9 years ago | (#9068746)

> I will mention that I've never heard of a mac worm, a root exploit that's actually been carried out against a mac, and so forth.

Now you're mixing two different things. First, a worm on the scale of blaster/sasser is not likely to happen soon on a Mac, if you look at how they spread: they just attack random IP adresses. Guess how often they'll hit a Mac. Spreading a Mac worm this way will be quite slow. The problem is mostly single root exploits. A remotely rooted Mac is possible, but unless it's a high profile site, how would you know about it? Do you think I'll make the news if my iBook gets rooted? Check this thread [slashdot.org]: you can get remotely rooted if AFS is on (meaning if you turned on Personal File Sharing). The lesson: don't let your guard down just because you're not running Windows.

Biggest bunch of bull ever (5, Insightful)

falcon5768 (629591) | more than 9 years ago | (#9068517)

The fact that they call this currrent windows worm not a major threat tells you where their mind is and whos paying their pockets.

I am getting sick and tired of so called "Tech Security" companies who create FUD just to sell their products.

Pat Tillman (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#9068526)

So, the news is now out that Pat Tillman, the Cardinals player killed in combat, was an atheist. Now, as an atheist myself, I think that's great. But going off to war voluntarily was just STUPID.

But, in the end, I'm thankful to Pat Tillman, in the same way that I'm thankful to all the lottery players who help make public education affordable. Without a large number of stupid people to fight our wars, where would this country be?

So, for your sacrifice, I thank you Pat Tillman, you became the ultimate chump to keep us free.

Re:Pat Tillman (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#9068546)

Amen to that. More cannon fodder for Bush's imperial wars means less possibility for a draft. Thank you patriotic suckers!

Where's the evidence??? (4, Insightful)

malchus842 (741252) | more than 9 years ago | (#9068528)

I read the article - I can't believe that the editors (are there any?) let this article see the light of day. Sure, there are security holes in Mac OS. It's a given that any OS has some kind of bug or flaw that, when properly exploited, will cause a DOS, crash or improper security. But this author is speculating (or, using speculation as source material).

Any OS based on a solid Unix core (Darwin, Linux, AIX) is going to be much more secure than any Windows kernel - at least at this point. It remains to be seen if Microsoft can build a reliable, secure kernel.

Oh, and by the way, how many flaws, and how bad are they, are in Linux and Mac OS compared to windows? Having administered global networks of >1000 Windows workstations and servers, I'll take a similarly sized Linux network ANY day, if security is paramount.

Re:Where's the evidence??? (2, Insightful)

System.out.println() (755533) | more than 9 years ago | (#9068611)

I can't believe that the editors (are there any?) let this article see the light of day.

The story got mentioned on Slasdhot, MyAppleMenu, and Spymac... it's gotten plenty of coverage. I never never that site existed until this article. Its sole purpose, I believe, was to get Slashdotted.

And by the way, Apple is dying. ;)

Re:Where's the evidence??? (5, Insightful)

lakeesis (325621) | more than 9 years ago | (#9068613)

I think it's even more disturbing that the author doesn't seem to have a problem with the use of only one source to back up what is a pretty wide-ranging assertion --> security company A says that apple has big flaws, so apple must have BIG FLAWS! OMG! The sky is falling!! -- instead of relying on a collection of different security company opinions to base her assertions.

Stepping back from the apple/*nix/Windows flame wars, the article itself seems subject to the very thing it attempts to criticize - a lack of any sort of depth of information.

--

If we do not do what we must do, what we must do does not get done.

Re:Where's the evidence??? (0, Interesting)

ceswiedler (165311) | more than 9 years ago | (#9068670)

Can you name a single Windows flaw that was in the kernel?

Do you actually know what a kernel is? Hint, Internet Explorer isn't in it.

There have been at least TWO Linux kernel security flaws in the past few months. Both were found by code auditing (not exploits) and both required local user access, but they were there nonetheless.

I don't think Microsoft has ever released a patch to the Windows kernel via Windows Update. Can anyone confirm this?

You can bash Microsoft's userland applications (RPC in particular!) as much as you want, but their kernel is extremely well-written.

Re:Where's the evidence??? (0)

Anonymous Coward | more than 9 years ago | (#9068750)

Do you have any idea at all what a kernel is? Do you have any idea where the problems with Windows XP occur and why? Do the people who modded you up know? I thought people who read this site were supposed to be barely technically competent!

I feel sorry who whoever has you administering thier networks.

Macs may have security holes, but... (1, Insightful)

Rosco P. Coltrane (209368) | more than 9 years ago | (#9068531)

Macintosh machines are such a small percentage of the personal computer market they're not really an interesting target for virus makers. Kind of like Linux in a sense: however secure it's supposed, it hasn't really been put to the test and never had to withstand, in desktop installs, the kinds of attacks Windows (and DOS before it) have always been through.

Re:Macs may have security holes, but... (1)

GigsVT (208848) | more than 9 years ago | (#9068707)

I don't see how you can say that Linux "has never been put to the test".

There have been a handful of Linux worms in the wild, and thousands of script kiddies that will break into your server if it is unpatched.

A linux box is a very useful thing, because it is able to be completely remote controlled, with little effort, since that's the way it was designed. There are thousands of software programs that are a wget away, etc.

It's just not as useful to break into a Mac... I mean, what are you going to do, run photoshop in batch mode with applescript? Macs are just less useful, and thus, not worth breaking into.

Re:Macs may have security holes, but... (3, Interesting)

dfj225 (587560) | more than 9 years ago | (#9068722)

What I have always wondered is if there are groups of people who actively try to write viruses for OS X. I would imagine that there has to be at least one person who has tried to do so, even if it is just as a proof of concept and not intended to be released in the wild. At least the idea of being the first person to write a majorly destructive virus for OS X must be appealing to the type of person that creates Windows viruses for fame. I think that answers to questions like these are important because it relates to how we view the security of the system. Along the lines you mentioned, how can people say that OS X has very tight security if it has never been put to the test in the wild? That is like saying my home is ultra secure because it has never been broken into, when, in reality, I leave my doors unlocked and all my windows open.

Re:Macs may have security holes, but... (2, Interesting)

INeededALogin (771371) | more than 9 years ago | (#9068724)

This is such a tired comparison now.
I offer some counter examples...

Maybe hackers and virus writers can't afford to buy an Apple. Thus, how can you exploit a machine that you have little exposure too.

or

Maybe hackers have more respect for Apple taking open Open Source and being the underdog.

or

Maybe, just maybe... Apple really does have good security.

Blanket statements/stereotypes are usually incorrect. I would expect a little bit of the above and your argument is the case.

Duck and Cover! (-1, Redundant)

Anonymous Coward | more than 9 years ago | (#9068557)

Prepare yourselves for some fanatical foaming-at-the mouth, and the inevitable posting of the reviewer's home phone number.

Patches. Oooo. How scary. (3, Interesting)

ebbomega (410207) | more than 9 years ago | (#9068560)

So, Apple is half-hearted about security vulnerabilities because they released a bunch of patches? I fail to see how this is in any way a bad thing. Releasing information about exploits in a closed-source system is kinda stupid. At least Apple is patching these things before they become a problem.

On the most part though, it's a lot easier to administrate a *nix system and keep it secure than it is to do so with a Windows system. It all, for me, comes down to the root/user system. You have a root that you don't use normal stuff for, and so therefore it's a lot more difficult to place undetectable things on a computer on the basis that the only places someone with user access to your comp has is in user-defined places. Namely, /tmp, ~, and anywhere else the user decides to place low restrictions for themselves (say, for me, my /filez partition).

As much as people want to bitch about how "insecure" *nix systems are, frankly, they're just better designed from a coding perspective than Windows. Windows seems to have been spending a lot of its time playing catchup with features, and now they're feeling the brunt of not practicing efficient coding, and the result is going to be Longhorn (supposedly... I don't know how many times I've heard the "The Next Windows is going to be better" argument... pretty much since 3.1), which is, in effect, a major overhaul and an attempt to make Microsoft's Station Wagons a bit more like BeOS' Batmobiles.... but it seems like it's more likely to become a 12-cylander Viper with the amount of resources they're claiming it's going to need to consume.

I'm happy with my fuel efficient tank that'll work on any road, thank you very much.

(Apologies to Neal Stephenson for borrowing the metaphor [spack.org])

Re:Patches. Oooo. How scary. (0)

Anonymous Coward | more than 9 years ago | (#9068601)

LOL, you actually have a "/filez" partition? Methinks you've been hanging out in IRC too much.

Re:Patches. Oooo. How scary. (1)

duffbeer703 (177751) | more than 9 years ago | (#9068708)

Exactly, having a "root" superuser who is not subject to any restrictions as far as file access and resource utilization is the ultimate level of security.

I'm happy that any system administrator can use "su" to assume my identity, and then use his root powers to cover his tracks.

Wishing for a way to mod "journalists" as trolls.. (5, Interesting)

mike_lynn (463952) | more than 9 years ago | (#9068566)

Does this guy even read the things he's linked to? Specifically the eEye Quicktime exploit page which mentions: "Vendor Status: Apple has released a patch for this vulnerability. The patch is available via the Updates section of the affected applications. This vulnerability has been assigned the CVE identifier CAN-2004-0431."

And on the AFP hole, Apple released a patch the same day they were told about the problem. Talk about turnaround time and microscopic exploit windows!

I think this guy just wants people to get riled up about Apple. All I've gotten pissed off about is him. Thanks a bunch, a**hole.

I couldn't pass this up, folks... (4, Funny)

revolvement (742502) | more than 9 years ago | (#9068584)

...an "Apple", with "holes" in it, which could be exploited by "Worms"...


Well, I thought it was funny, at least.

Apple knows its audience (5, Informative)

Reverberant (303566) | more than 9 years ago | (#9068587)

A comment in response to the Scobleizer [weblogs.com] blog said it best:

Eh, I think @stake is just whining. The security update on the apple site is written for consumers, not security experts. The knowledgebase article: http://docs.info.apple.com/article.html?artnum=617 98 [apple.com] clearly lists the CAN number. Plugging in that CAN number into google gets me straight to the @stake advisory here: http://www.atstake.com/research/advisories/2004/a0 50304-1.txt [atstake.com]

Personally, I don't think apple is trying to hide anything, they are just assuming that calling it a "a pre-authentication, remotely exploitable stack buffer overflow" would confuse consumers. The knowledgebase article contains all the info a technical person would need to find out more.

Speaking of "full disclosure" - the criticism came from @stake, which is a vendor to Microsoft and fired one of their employees for criticizing Microsoft in a report. :)

Apple has pretty much jumped the shark anyway... (-1, Troll)

Anonymous Coward | more than 9 years ago | (#9068597)

There has recently been much restlessness" [88.net] in the ranks of the Mac cult, with regard to display problems on the 15" PowerBooks. This is a popular model, and Apple appears utterly incompetent at dealing with widespread manufacturing/design problems. There's a petition [petitiononline.com] with almost 2,000 signatures from ticked-off Kool-Aid drinkers.

Add this to the iPod Mini quality problems they've been having, and you don't need to be a Kreskin, etc., etc. to see that Apple is especially beleaguered these days. These OS/X virus/worm scares are just about all they need right now.

No, YOU have jumped the shark... (1, Flamebait)

Aquafort (772248) | more than 9 years ago | (#9068723)

And whoever modded you "Informative" should have followed your links. The "white spots" problem is old news and doesn't affect the current line of powerbooks or the previous line either (which I own one of). It's like saying MS has jumped the shark in 2004 because Windows 95 came out so late. Thanks for playing, Fonzie.

moot (2, Insightful)

jdunlevy (187745) | more than 9 years ago | (#9068606)

Not only does the article [techworld.com] offer only very little in the way of evidence, but the whole point of the article appears moot. My favorite quote at http://secunia.com/advisories/11539 [secunia.com] (linked from the article):

"Solution:
Apply Security Update 2004-05-03."


(The article is dated "04 May 2004")

*Nobody* advertises their holes (2, Insightful)

pmiller396 (457575) | more than 9 years ago | (#9068630)

Name me one software company that goes out of their way to advertise or publicize their security problems. Microsoft certainly doesn't.

The holes are generally publicized by outside parties (like @stake and Secunia in this article) who somehow make their living finding these problems (1. find bugs 2. ??? 3. profit!)

We hear about MS's bugs so much because they affect so many people, there are so many of them (bugs .. and users too, I guess), and MS has made it plain they won't fix these problems unless there is bad publicity.

About time the cat was belled (2, Interesting)

Anthony (4077) | more than 9 years ago | (#9068635)

A colleague submitted a bunch of local exploit reports to Apple months ago with no reasonable response. I certainly don't read mail on my iBook.

Moles here? (1)

Roberto Qwerty (103036) | more than 9 years ago | (#9068647)

Why do articles without facts like this one and the one recently circulating about european labels fearing Apple's dominance of the music industry suddenly hit the web and then are referenced ad naseum by web sites?

Is there a concerted campaign here?

And why do similar comments like "security through obscurity" come up here as criticism when little or no real examples are shown via the article?

Is this place (and the web) being used for a FUD campaign?

hmmmm....

M$...? (1)

Halueth (776646) | more than 9 years ago | (#9068650)

I know M$ is putting a lot of money in Apple. Maybe same same way of working now ;) Ah well...

Don't worry be Happy (1)

Sophrosyne (630428) | more than 9 years ago | (#9068653)

If you're a big fear mongerer here is an idea- don't do anything on a computer that is sensitive.
Don't cheat on your wife online, don't keep sensitive data about your self or other people on a system connected to the internet, and those nuclear weapons designs you carry around on your lap top... try encrypting them or something.
...Another idea: Trust in your legal system! if someone really wants to get ya, I doubt it will be by hijacking your macintosh, try not to worry so much- it'll give you grey hair.

So why was this posted then? (4, Insightful)

kiwioddBall (646813) | more than 9 years ago | (#9068658)

If an article is written that makes an assertion, and then completely fails to back up that assertion, then it is fairly likely that the article is not worth reading and is full of falsehoods.

Don't publicize such articles by posting them on Slashdot.

Clarification... (4, Insightful)

vikingshelmut (324101) | more than 9 years ago | (#9068668)

I find it humorous that it is stated Apple released 5 security patches for OS X, when in effect they released one security patch for different flavors of OS X. In all cases this is the same patch for 10.2, 10.3, and both server variants.
Considering Apple releases one security patch every month or two, I would hardly consider that as evidence of weak security policys.
How many different patches were released for XP within the last 6 months compared to Apple? I thought so...

Black Cadillacs (5, Interesting)

Graymalkin (13732) | more than 9 years ago | (#9068671)

It is really nice of TechWorld to let companies write their "articles" for them. This article is complete and utter tripe. I think this is quite a bit worse than the expose from Intego and their inane little "trojan horse". None of the outlined exploits went unpatched for any significant period of time, I downloaded the security updates that cleared up the problems just last week in fact. They're also not the sort of exploits that make Sasser and Blaster look like little nips.

Looking through Secunia's website - who I'd never heard of before reading this article HINT HINT - it appears as if Apple patched the very exploits the TechWorld article is harping on. This quote seems to have been blown way out of preportion by Kieren McCarthy:

This conclusion is based on the fact that Apple merely describes vulnerability 3 as an attempt to "improve the handling of long passwords". However, according to @stake, the vulnerability can in fact be exploited to compromise a vulnerable system.


He turned that quote into a slew of accusations about Apple being unresponsive over exploits and bugs. Man they're so unresponsive they provided me with a free security update not but a few days ago! Damn that Apple and their unresponsiveness! Maybe they'll release Quicktime 6.5.2 to unfix the problem they fixed of malformed Quicktime files crashing QT with the 6.5.1 update. I'm sure there are some real security exploits in OSX that are something to actually worry about. The ones outlined in this article...not so much.

Apple isn't particularly good at the patching game (4, Interesting)

SilentChris (452960) | more than 9 years ago | (#9068702)

While Apple seems to be patching fairly regularly, the last security update (the group of 4) was a little lacking in that it offered no explanations. Microsoft (which has gotten good at revealing weaknesses) at least gives a full technical explanation, often right down to the files affected. As I work in IT, I'm often left installing patches with Apple with no clue what they're doing under the hood (a bad situation to be in, but worse if we didn't patch at all). Fortunately, Mac users are a very small minority at my company. Also, the guys who's putting together some of the patches seem to be falling asleep at the wheel. The last Quicktime upgrade (33 MB) apparently include 18 MB of the Quicktime logo for each of language it supports: Not So Quickthinking on this page [tripod.com]. That's just lazy work.

Virus Scanner Sales (2, Interesting)

Wasteofspace (777087) | more than 9 years ago | (#9068715)

Who is to say that certain virus protection companies are hoping that virus infections in OSX start to become wide spread. I know that most mac users do not use virus scanners, and the virus scanners that are available seem to only list windows viruses with about 1000 very old Mac viruses. To allow widespread security breaches promotes the creation of viruses, which in turn, promotes the creation and sales of antivirus software.

Follow the leader (1)

scdeimos (632778) | more than 9 years ago | (#9068728)

Secunia has given the five - yes, five - patches a "highly critical" rating...

Eww aah... five patches. Maybe Apple should have followed MS's lead from last month and rolled them all up into one patch to rule them all [microsoft.com]. :)

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...