Apple Uncommunicative About Security Holes

blackmonday writes "Kieren McCarthy of Techworld argues that Mac OS X is rife with security holes, and that Apple is doing a 'half-hearted' job of patching their operating system security holes, and has a 'strange habit of pretending a big problem is of no significance.' As a Mac user I find this an intriguing article in light of the Sasser Worm and its recent variants." Despite the article's assertions, no evidence of widespread security problems, or lack of effort to solve them, is offered. The only real question is Apple's lack of communication with the public in the nature of the problems.

Reasons why...

[BWJones]

Well, let's see: If Apple has been uncommunicative about the presence (or absence) of any security holes, it is simply because they would rather not publicize the presence of particular holes. It's good policy for their OS while also maintaining an open source presence with Darwin that allows for public scrutiny. It should also be noted that Apple is also working towards approval of certain security ratings from assorted groups and governmental agencies, but they are not publicizing that either. They would rather maintain a low profile and have good reasons for doing so. After all, the core of OS X, the NeXT OS has a long history of a presence in intelligence and security circles (NSA, CIA, FBI etc...).

I read the linked article and was absolutely stunned at how superficial the evidence was given the claims being made. If one is going to make such statements, one would think there would be a little more substance, but hey the article certainly has garnered some attention, so perhaps that was the sole goal of the author? Or if one were likely to believe in conspiracies, one might guess that the author was put up to writing the article by a potential competitor? In science, we have to publish "disclosures" that establish corporate or political linkages. Perhaps it is time for the news media to do the same?

Re:Reasons why...

[Anonymous Coward]

If Apple has been uncommunicative about the presence (or absence) of any security holes, it is simply because they would rather not publicize the presence of particular holes.

Because we all know Security by Obscurity is the best approach. Funny, Microsoft gets attacked at slashdot for taking too long to patch an issue, and Apple gets a free pass for ignoring them?

Re:Reasons why...

[talaper]

Funny, Microsoft gets attacked at slashdot for taking too long to patch an issue, and Apple gets a free pass for ignoring them?

you're statement is a bit misleading - Apple doesn't ignore security holes, they fix them quickly and quietly before anybody realizes where they are. that's a BIG difference.

Re:Reasons why...

[Anonymous Coward]

You are correct sir! It's not like Microsoft released the patch for the Welchia worm a month before the worms release or anything!

update mechanisms

[Onan]

You're right, it's very often the case that worms and such are exploiting vulnerabilities for which Microsoft issues patches long before. However, there are a few reasons that's the case.

1) My very-non-expert understanding of Microsoft's update mechanism is that there are several semi-overlapping systems which are relevant, and that some or all of them do not default to running automatically. (I've never used Windows myself, so it's entirely possible that I'm mistaken about this. It's the impression I've acquired after listening to many Windows users.)

Contrast this to Apple's Software Update tool, which defaults to checking for updates once a week, and handles all hardware and firmware from Apple. It requires explicit permission from the user to perform upgrades, but it does take the liberty of downloading "important" updates before requesting a final go-ahead, making it as painless as possible.

2) Microsoft's patches have a pretty high incidence of causing problems for previously-working systems. My understanding is that this is often related to a very inflexible shared library system which encourages third-party developers to overwrite standard system DLLs with their own versions left and right, predictably causing problems upon future update.

While it is absolutely the case that updates from Apple occasionally cause problems, it seems to be relatively rare. I personally have no qualms about simply agreeing immediately to any update Apple offers me; I've been doing so for five years now, and I haven't had any cause to regret it yet.

So, yes, a very high percentage of systems out there are lacking patches which Microsoft has made available. But there are still some senses in which Microsoft is very responsible for that being the case.

Re:update mechanisms

[sjlutz]

I've seen Windows and Microsoft bashed enough on Slashdot, and sometimes for good reasons, but I have to say that the parent post is completely wrong.

1) The Windows Update is installed by default, and (annoyingly) pops up when using a new computer until you tell it what to do. The options are simple: 1) Enable Windows Update (on by default). a) Notify before downloading, b) Download automatically, but don't install. c) Auto-download, and auto-install at scheduled time. Default is Updates ON, but just to notify.

2) Yes, in the past there have been a couple windows updates that were not up to par, but they have become much better. The last problem one I remember was about 2 years ago with an Exchange Update (not security related) messing up an existing exchange server. I have yet to have a security update mess anything up, and I run about 100 windows servers. Like any update, I do test on a non-production box (like staging server or development server) before I push to production, but I have yet to have a problem.

Re:update mechanisms

[Gumph]

2) Yes, in the past there have been a couple windows updates that were not up to par, but they have become much better. The last problem one I remember was about 2 years ago with an Exchange Update (not security related)

Can I just point out the latest issue with MS04-11 (the Sasser worm vuln fix) if you have the files ipsecw2k.sys, imcide.sys and dlttape.sys - (the last one being PRETTY common on corporate servers) instead of your machine rebooting all the time - it will just hang or fill up a CPU to 100%
Microsoft are now offering a hotfix to one of their patches! priceless!!

Re:update mechanisms

[TechniMyoko]

Windows Update is semi automatic. It downloads the patches rated critical, and asks permission to install them.

As for some patches causing trouble, I seem to remember an update for OSX that neutered the network adapter.

As for DLL hell, that was cured in XP/2K which keeps multiple versions of DLLs

Re:update mechanisms

[Onan]

As for DLL hell, that was cured in XP/2K which keeps multiple versions of DLLs

Interesting. So how does that actually work? What controls which instances of the "same" dll gets used by which applications?

Re:update mechanisms

[transient]

Windows Update is semi automatic.

Just like my gun.

Re:Reasons why...

[gumbi west]

When I had a win2k box, I applied every ding-dong patch and one day the damn thing just stoped working. I had to spend about a day uninstalling back to SP1 before it worked. Then I discovered, adding anything more to that made it crash again (blue screen).

They may release the patch... but what if your computer is rendered useless by applying it?

Re:Reasons why...

[abscondment]

Security holes in any system will come out more quickly when more people use it. The fact that Apple can (usually) find and fix security holes before they are made publicly known might just stem from the fact that their user base is smaller than Microsoft's and therefore their security holes are more obscure (in terms of publicity, not coding content). The most used product will always have the most exposed flaws. Microsoft simply can't keep up with the number that are exposed; who's to say they same wouldn't be true if Apple was the industry standard? Immunity from errors of this kind can be found in open source type systems, but that's a whole other can of worms.

Can you say Apache?

[weston]

The most used product will always have the most exposed flaws.

Apache has demonstrated this is simply false.

Re:Can you say Apache?

[Enucite]

It's interesting you point out that "Even the devil can cite scripture for his purpose", and then proceed to assume it's only fair to include vulnerabilities of one of the most exploited scripting environments in order to inflate the Apache vulnerability count. Completely ignoring the fact that vanilla Apache has fewer vulnerabilities than IIS.

If you insist on including a scripting module, why didn't you choose the popular mod_perl [cert.org]?
Oh, whoops, that's not nearly as close!

Funny how that works. ;)

Re:Reasons why...

[prockcore]

Apple doesn't ignore security holes, they fix them quickly and quietly before anybody realizes where they are. that's a BIG difference.

Not really. If they don't tell the end user that the patch is critical, the end user doesn't install it as quickly as if they had been informed.

When software update pops up and says there's 50 megs of crap to download and a reboot or two will be required, I definately think twice about it.

I don't think people on dial up ever patch.. because downloading the 100 megs of updates that both Jaguar, Panther, and XP require has got to be hell.

Re:Reasons why...

[MO!]

I don't think people on dial up ever patch.. because downloading the 100 megs of updates that both Jaguar, Panther, and XP require has got to be hell.

Well you're thinking is impaired and you should therefore refrain from making such grossly inaccurate assumptions.

Personally, I have 2 Windows 2000 systems, 1 Windows XP laptop, 1 MacOS X Powerbook, and 1 FreeBSD firewall. Not only do I weekly sync the FreeBSD box up via cvs and recompile the Stable source tree, I also patch both Win2k and the Mac as needed via the same 56K dial up. I haven't been hit with any of the Windows worms/viruses, nor any FreeBSD or Mac problems. That's because I run Windows Update nearly every other day, and MacOS X's Software Update at least a few times a week (in case a new patch I've not already heard about is there).

Yeah, it sucks on dialup - and I frequently let the updates download overnight while I sleep. That's what my cell phone is for - voice conversations. If you're thinking twice about 50MB and you're not limited to dial up, I think you're nuts. I keep all of my systems as up to date as possible. Luckily the XP laptop is for work only, so I can run Windows Update from work with it.

Re:Reasons why...

[Cardinal Biggles]

Apple doesn't ignore security holes, they fix them quickly and quietly before anybody realizes where they are.

Quietly, yes, very. Quickly? No.

If you call a fix for a good ol' buffer overflow a "patch to improve the handling of long passwords" you're being too quiet: people will not be properly motivated to install the patch.

And doing roll-up patches for old (sometimes very old) issues once a month only does not qualify as quick. Sorry.

I mean, look at this week's update, all of the issues patched were discovered in 2003.

Like some others here I am completely astonished that "security by obscurity" is suddenly a good thing when Apple does it. Come on folks, get a grip. Apple isn;t doing this right, don't close your eyes to that simple, obvious fact just because you like them.

Re:Reasons why...

[CuriHP]

Security by obscurity is bad as a long term approach. However, it's not necessarilly a bad thing during the day/week/month it takes you to write and test the fix.

It would be a bad idea to protect your house by trying to keep the fact that your front door's lock is broken a secret. But, it also wouldn't be a good idea to put a giant sign out advertising that fact while you were waiting for the locksmith.

Re:Reasons why...

[neuroticia]

Wrong analogy. Your analogy applies more to the single user advertising "I have an unpatched system!"

It's more along the lines of a Gym realizing that their locksmith put identical locks on every single locker in the locker room. They can say "Oh. Crap. There's a problem, let's tell our users so that they can decide to use an unsecure locker or not." Or they can say "Maybe no one will notice, the locksmith will be here in a couple of hours anyway."

Still not the perfect analogy, but when you have a large group of people that are operating under the assumption that something is secure, and you don't tell them so that they can take steps to modify their behavior until the security is increased... It's like knowing there's a potential terrorist attack pending, but not telling anyone about it so that they can avoid public areas.

If there's a vulnurability with something, I prefer to know so that I can avoid a particular action until there is a patch. If I don't know, I go on blissfully unaware and may not even download the patch right away as it becomes available. (Especially since Apple has unusually large patches sometimes.)

-Sara

Re:Reasons why...

[CuriHP]

I'd agree with you for any issue that you can have some control over before the patch becomes available. What I mean is that if you can work around the hole by turning off a certain service or blocking a specific range of ports, then certainly everyone should be made aware of this.

Re:Reasons why...

[47Ronin]

Perspective: people are surprised by all the security updates that Apple releases.

Fact: By default, NONE of the exploitable holes are available by DEFAULT out of the box. There are ZERO services running, so no remote vulnerabilities. ...which is a ton more secure than a Windows PC out of the box (and some linux boxes). The only time the Mac OS X system can be compromised is if the exploitable services are turned on. Most of these are exploits to open-source software such as Apache, OpenSSL, CUPS. Recently, AFS was patched and that isn't even running when you turn on a Mac.

Re:Reasons why...

[LostCluster]

When colleges were opening up this year, there were massive worm problems because unpatched Windows XP computers were coming straight out of the box, and they were discovering access to the Internet during their first bootups. Computers were being exploited within a matter of seconds because there were just so many infected computers. And once a new computer gets hit, it was just one more sending random attacks.

All of the RPC-flaw worms would have had much smaller impacts if only the people who actually used Remote Proceedure Calls were running it. Simply put, that'd mean next to nobody would be running that service, and therefore there'd be much fewer people at risk, and therefore much fewer people infected, and therefore much longer of a wait time before any given IP address is randomly hit with an attempt.

Microsoft's learned the moral of this tale. All recently released versions of Windows start with all non-critical services turned off until the user does something to enable them. SP2 will apply this logic retroactively to Windows XP Home, and that'll take care of most home users and college kids. This will greatly lower the odds of Windows ever being hit with worms of this size again...

Re:Reasons why...

[LostCluster]

The affected service is indeed something that cannot/should not be directly turned off because it's the Local Security Authority Subsystem Service which is more-or-less at the center of the whole permissions structure in Windows.

However, that isn't by definition a network service itself. The only way that this flaw can be exposed to the network is if there is a running network service that depends on the LSASS to do user authentication for it... LSASS isn't network-aware in itself, it's just concerned with permissions of things on the local machine. In order for the worm to work, it must depend on the help of a network service in order to be able to get to the affected service to exploit the bug.

To put it mildly, if the Sasser worm can't get get in at port 445, which is an SMB file-sharing port, then it gives up and moves on to the next potential victim. Nobody should have port 445 exposed to the open Internet unless they want to share files with the world that way, which is most likely nobody at all. In fact, users who don't have a multi-PC home network have no business having that port open in the first place, they're not going to have use for SMB.

So, if File Sharing is turned off, the LSASS flaw would still exist but Sasser wouldn't be able to exploit it remotely, the LSASS flaw would be contained to only local users on that machine. In fact, anybody behind a firewall that denies port 445 would be protected from being exploited by anything on the other side of the firewall.

In short, if SMB shipped off by default, only those who turned on File Sharing and then failed to properly firewall it from the Internet would be infected. Those who were unaware of what File Sharing did would not be...

Re:Reasons why...

[sydb]

Yes but you're not telling only the owners of the lockers, you're telling everyone walking by the gym too.

Security through obscurity is wrong and stupid, but so is security through full disclosure. I hate to say it; I love Free Software and I am happier trusting the security of my data to it than I would be trusting anything proprietary, especially Windows. But I can't buy the argument that telling the world about an exploit before anyone has had a chance to patch is a good thing.

I have no idea how to solve this, it's a fairly deep question, deeper than me just now with a bottle of wine in me.

Re:Reasons why...

[wfberg]

Security through obscurity is wrong and stupid, but so is security through full disclosure. I hate to say it; I love Free Software and I am happier trusting the security of my data to it than I would be trusting anything proprietary, especially Windows. But I can't buy the argument that telling the world about an exploit before anyone has had a chance to patch is a good thing.

You're assuming
a) that the black-hat community does NOT disseminate vulnerabilities amongst themselves even before the white-hat community does
b) that patching is the only way to get rid of a vulnerability.

Case in point wrt b) the Sasser worm is effectively killed by switching on your friendly neighborhood firewall/IP filtering (which is built right in to the affected OSes). You don't even need to switch off a single service (though in many cases only a single service (or daemon) is affected).

Re:Reasons why...

[Disevidence]

With honesty, you let the possibility for the exploit to be used, but you also make people aware of the fact so they can take steps to stop it from ever happening.

Sweeping it under the carpet until you have a patch ready is ridiculous reasoning. What if the exploit details get leaked, but not published?

What happens if a black hat comes across it anyway? Then you have an exploit being used that no-one knows about yet.

Full Disclosure has risks, but it allows for more corrective steps to be taken then waiting for a patch or something similar.

Re:Reasons why...

[duffbeer703]

You obviously don't understand the fact that Steve Jobs is a genius. I once witnessed Steve turn a barrel of rocks into gold bricks. The man is amazing.

OS X holes aren't problems, but opportunities for Mac users who "Think Different." to explore the creative possibilities of their Mac from a new, unique and artful perspective.

Apple is a corporation that cares about and nurtures the creative class of our society. "Security" is just another word for mindless oppression by the man.

Microsoft is just and evil corporation in it for the money, and they put holes in their software to sell more stuff!

Re:Reasons why...

[gunnk]

Because we all know Security by Obscurity is the best approach. Funny, Microsoft gets attacked at slashdot for taking too long to patch an issue, and Apple gets a free pass for ignoring them?

No, that's NOT what is being discussed. Apple tends to patch very quickly and quite regularly. However, the information about exactly what is being patched is usually limited to the programs or processes being patched (Safari, Finder, etc.). The discussion is whether or not Apple should be communicating more completely the nature of the security problems it is fixing.

As a geek I'd like to know exactly what the problems were, but that's strictly to satisfy my idle curiosity. I have to admit that it may be better that the details aren't published. I can live without the details (i.e.: a buffer overflow in the XYZ module), but others may feel that the exact exploit *should* be announced. Since I don't have access to the rest of the code, I don't see any reason we should be given the details of a particular patch.

Anyway, the point is that it's not about Apple ignoring or responding to holes: it's Apple's publication of the nature of the holes that is at issue here.

Re:Reasons why...

[More Trouble]

The discussion is whether or not Apple should be communicating more completely the nature of the security problems it is fixing.

The vulnerabilities are announced on various security lists [google.com]. If you're paying even any attention, you can't help but notice.

:w

Re:Reasons why...

[Anonymous Coward]

uh, the quicktime bug that was "ignored" was patched on 5/3/2004. the article the author linked to says so. i believe the AFP problem was addressed in the same security update. OOPS! better check to see if they've patched the holes before you accuse them of not patching the holes.

so, after all of the crap people have slung at apple trying to discredit their security, one simple fact still remains: every 3-6 months, there is some worm that does millions of dollars of damage, spreads by getting the windo

Nah, just a bad article

[Anonymous Coward]

Funny, Microsoft gets attacked at slashdot for taking too long to patch an issue, and Apple gets a free pass for ignoring them?

Well, I dunno, I think it's less that than just that slashdot is naturally reactive. They aren't reacting to Apple at all. They're reacting to the article. And this article is very poorly written. It goes into basically nothing except Apple's presentation in the ASU dialog box of update descriptions, while failing to give any hard data or really any evidence whatsoever as far a whether Apple is taking any amount of time to patch security holes.

If this guy had actually gathered some sort of hard data that gave an indication of whether Apple actually was taking excessive amounts of time to patch security holes, or whether people weren't installing ASU updates, or Apple was trying actually to hush up security vulnerabilities, I think you'd see a very different reaction. There was one time that Apple took a little bit too long to be reasonable to fix a security hole and when the slashdot story on the subject came out they were rightfully bashed for it. However in the absense of any hard data we're left only with the ability to respond to the article, and well, look at the article.. about the only response possibly is "poorly formulated, poorly researched rant".

Perhaps a good way to test your theory would be to post to the slashdot front page a really *bad* article attacking Microsoft's security practices and see if people agree with it or if they go "wait, this doesn't make sense".

Re:Reasons why...

[daviddennis]

This is written by a guy who either still writes for the Register, or used to do so. I don't think he's a Microsoft shill, but I think as a journalist he wants stuff to report about, and is probably irked Apple's not feeding him the dope. It's not by accident news is called dope by the press, you know; it's addictive, like food.

That being said, Apple seems pretty good at sending out frequent security updates when needed, and it's dead easy to keep a system patched. Until I see something escaping into the wild, I'm not going to be too concerned. But I will avoid tempting fate by keeping my system patched.

D

Surprisingly unbiased article summary

[bonch]

Despite the article's assertions, no evidence of widespread security problems, or lack of effort to solve them, is offered. The only real question is Apple's lack of communication with the public in the nature of the problems.

I bitch a lot about Slashdot for its biased summaries and viewpoints, but this time I have to applaud it for sounding rational. If only this sort of calm, rational perspective was applied to all the articles posted!

Just felt like pointing it out. Good job in this instance.

Re:Reasons why...

[LostCluster]

That being said, Apple seems pretty good at sending out frequent security updates when needed, and it's dead easy to keep a system patched. Until I see something escaping into the wild, I'm not going to be too concerned. But I will avoid tempting fate by keeping my system patched.

When it comes to security holes... publicity is a very bad thing. When a security hole is reported accross the mass media, it sends a wake-up call to hackers. When the patch to fix that security hole is released, it sends another wake-up call.

By underplaying the importance, and quietly fixing the problem... Apple's trying to say "Please, don't notice that." No, they can't exactly muzzle the press from talking about the hole, but by not answering media questions and by not making loud announcements when they patch holes, they end up making the life of a the media a lot harder... and that just means sometimes the story won't get written. And Apple likes when that happens.

There's a two-pronged reason for being happy. Of course, Apple's marketing people are happy that their reputation isn't damaged when there's less bad media reports... but also, hackers going after Apple end up getting less information. Afterall, loud mass-media mentions of a hole reveals information to everyone, but the enemy is a subset of everyone, and giving information to the enemy is rarely a good thing.

Re:Reasons why...

[Rosyna]

And FWIW, The Sasser worm seems to ONLY exist because MS fixed an exploit in lsass then immediately documented exactly why it happened, where it happened, and basically how to exploit it.

What's wrong with just saying, "We fixed an exploit discovered by someone at some company in this component of the operating system." ? Need bugfixes also give information on exactly how to reproduce the bug? Open the farthest right menu so it becomes sticky, move the mouse to the right of that menu in the menu bar (the menu will close), press the right arrow key on the keyboard.

Re:Reasons why...

[sydb]

There's absolutely nothing wrong with the approach you suggest, and I would also advocate it.

But there's no point pretending that because you've kept it a secret, no-one's going to find out.

So you have to be prepared for the worst, even if you don't ask for it.

Re:Reasons why...

[DA-MAN]

And FWIW, The Sasser worm seems to ONLY exist because MS fixed an exploit in lsass then immediately documented exactly why it happened, where it happened, and basically how to exploit it.

I call bullshit, prove me wrong! How do you know that the person who created the worm didn't have access to this exploit before? Microsoft didn't find that exploit, a third party did, and without the source. What makes you think that only the third party and Microsoft knew about this.

There have been a great many bugs that I have seen personally, being exploited on IRC months before Microsoft fixed it. Besides even if the worm writer did find out throught he description, it doesn't mean that the descriptions should be removed! The descriptions are there for a reason, if a patch changed a bunch of stuff without saying what it was going to change, I'd be worried as a sysadmin as to whether i'd be able to recover something if it broke. If something goes wacky on a wireless card wpa fix, and your wireless card no longer works you can probably deduce that the patch probably broke your hardware by looking up the last few things that touched anything having ot do with wireless.

What's wrong with just saying, "We fixed an exploit discovered by someone at some company in this component of the operating system." ? Need bugfixes also give information on exactly how to reproduce the bug? Open the farthest right menu so it becomes sticky, move the mouse to the right of that menu in the menu bar (the menu will close), press the right arrow key on the keyboard.

Ah so you realize that most exploits or problems are actually discovered by a third party before Microsoft. Isn't that weird, considering that MS is the only one with the source?? That should be throwing up red flags to everyone, I mean most exploitable bugs are found by the maintainers of the packages in the open source world, the people who know the code most intimately. I wonder why the same doesn't hold true for Microsoft. Security through obscurity doesn't work, obviously. Why try to apply further obscurity by not providing relevant info to the sysadmins...

Occam's Razor

[Animaether]

How do you know that the person who created the worm didn't have access to this exploit before?

Apply Occam's Razor.
What is more likely - that somebody else (assuming the security firm that reported it didn't write Sasser) discovered the flaw, wrote an exploit, and released it within days of Microsoft's detailed report.
-or-
Somebody read the detailed report, wrote the exploit, and released it into the wild a few days after reading.

Hmm. I wonder. %)

# # #

That said...I second the idea that there's no good reason to essentially provide the blueprints of either fix or exploit to anybody but the reporting party.
I know there is some issue with "What if the company gets the report, but doesn't do anything with it ?" - in which case documenting the flaw may be the only way to 'force' a company to fix it. However, it may be more strategic to release bits of the flaw-documentation at a time, so that over time the likeliness of an exploit becomes higher - but only by those with enough knowledge, rather than every script-kiddie on the block. A company would likely (hopefully) provide a fix before a full disclosure of the flaw would be given, understanding that exploits will be released into the wild at some point.

Re:Reasons why...

[MrLint]

" $100 exchange for a refurbished iPod & battery after a year, the Appleheads insisted that it was perfectly ok"

Its really strange i haven't seen anything all those ipods the *need* a battery replacement after a year.

"Would would your reaction be if Steve Ballmer got up and said "patches do not matter, we are withholding them for your protection"? It would be a vertitable orgy of Microsoft denunciations."

Actually when MS said that their security holes are only exploited after they release the patches

Re:Reasons why...

[crackshoe]

Batteries fail over time. It happens - its even expected. Tires are expected to not blow up, causing the truck to flip over and possibly killing the owner ever - and especially not with relatively new tires. Batteries wearing out (Expected) versus explody death (Unexpected)? do i really need to keep going?

Re:Reasons why...

[tyrione]

Do you want to be accused of being an overgeneralizing ass that has no original sarcastic points to aide in one's mod points?

NeXTSTEP for the CIA WAS NOT NeXTSTEP for the General Consumer. I know I worked there. Get over it. OS X/X Server for the Federal Government will be a CUSTOM BUILD tailored to the Government Requirements certification specs.

Does that mean the Feds get a better OS? No. It means the Feds actually want a more limiting OS that when installed is hack proof and limited to doing spe

Wow, this is pointless

[PedanticSpellingTrol]

The whole thrust of the article seems to be "There might be dozens of holes in OSX, how do we know?". Seems making an argument like that, they shouldn't be comparing it to another proprietary system like Windows but instead Linux or *BSD. And then they mention a hole in Apache? WTF? Not Apple's problem.

Re:Wow, this is pointless

[neuroticia]

It is if Apple ships with a version of Apache that is exploitable and does not issue an Average-User-Enabled (ie: no compiling necessary) patch within a decent amount of time. Apple including server software with an OS that goes out to people who have no idea what a server is, or the impact of running one.. does make it their problem.

Re:Wow, this is pointless

[HeghmoH]

And then they mention a hole in Apache? WTF? Not Apple's problem.

It becomes Apple's problem when they ship a copy of Apache with every copy of their OS. It may not be their fault, but it's certainly their problem.

Re:Wow, this is pointless

[killjoe]

DO they ship apache with every copy of mac os x?

Re:Wow, this is pointless

[Elwood P Dowd]

DO they ship apache with every copy of mac os x?

Yes. The configuration is difficult to deal with, but it certainly ships on every OS X machine.

The long story is that you have to go to the "System Preferences" application, click on the "Sharing" panel, and check the box marked "Personal Web Sharing".

I realize that had a lot of "tech" "jargon", but that's how you configure Apache on Mac OS X.

Re:Wow, this is pointless

[baryon351]

The whole thrust of the article seems to be "There might be dozens of holes in OSX, how do we know?".

I don't think there's anything truer than "There are dozens of holes in OSX". Also "There are dozens of holes in Windows" and "There are dozens of holes in Linux - pick a distro any distro". You only have to look at the number of patches released for ALL operating systems to see the truth in that. Some OSs will be worse than others and have more exploited holes, that's an argument for another time.

Those h

Keeping quiet makes perfect sense to me!

[Txiasaeia]

Think about it: if Apple keeps quiet about the massive and widespread effects of viruses on their OS, the benefits are:

-Less damage to the Apple brand
-Less desire for virus writers to write viruses for Macs -- if it's not widely covered in the media, then how do you know if your virus works? No bragging rights == no desire to make such viruses
-More security - if you don't publish holes but quietly fix them, then the chances of script kiddies (biggest cause for net viruses according to a study I read a while ago) exploiting such holes is much, much less.

Of course, it sucks from an end-user viewpoint, but *only* if such a virus actually infects your computer!

Re:Keeping quiet makes perfect sense to me!

[neuroticia]

Benefits of letting your users know:

1- They will be aware that their OS isn't perfect. Healthy paranoia is essential to running a system that is secure. If you're not healthily paranoid... "That update? I'll download it later. First I'm gonna download this latest and greatest 3D Game and give it a go."

2- If they are aware that there is currently a vulnurability for... Safari, they have the option of using an alternative browser until the vulnurability is patched. Quicktime? They're aware there is a problem, and put off on downloading quicktime from unknown sources for a while. (Brittney Spears porn? That can wait until a patch is out!)

Bottom line- If Apple DOES NOT let their users know about a vulnurability and nothing happens--no biggie. If Apple knows about a vulnurability and DOES NOT let its users know, and something does happen.. Boom, Apple's got a virus, or a remote root exploit, and everyone knows about it. If Apple says "We knew", then they're guilty of not informing their customers. If Apple says "We didn't know", then they're guilty of not knowing how to secure their OS, and not keeping on top of things.

Apple's got a small marketshare that they're trying to increase, and they're trying to burst into a new market where people are still skeptical. Covert cloak and daggar "security by obscurity" is never a good thing, and in this market it will only alienate. It's MUCH better for Apple to say "We have a vulnurability... And three hours later we have a patch."

-Sara

Re:Keeping quiet makes perfect sense to me!

[aristotle-dude]

1. Paranoia is not healthy. 2. We are talking about home user's here, not ./ readers. 3. Exposing vulnerabilities only helps out the script kiddies and virus/trojan writers. They can write and release an exploit long before a patch comes out.

Re:Keeping quiet makes perfect sense to me!

[CODiNE]

I have to disagree with you on the "No bragging rights" point. A Mac only worm that spread around and nailed a few hundred thousand or so users, and even caused actual data loss would be a crushing blow to Apple... the writer of this would be quite infamous. Nobody cares when another Windows worm comes out, but if one comes out on the Macs, you'd better believe everyone who's ever said "Apple is dying!" is going to come crawling out of the woodwork and make sure it's never forgotten. Those of us in the know wouldn't be bothered much by it, but the FUD spread would be incredible.

-Don.

This could be pretty serious

[Anonymous Coward]

What people fail to realize is that there are literally hundreds, if not thousands, of people own Macs and many of them are now connected to the Internet.

Imagine the havoc an OSX based worm would wreak at an art school or a large interior design firm. This kind of stuff needs to be taken more seriously by Apple.

Re:This could be pretty serious

[arfuni]

Look buddy, this isn't a laughing matter. Starbucks locations with wireless access points would be torn with the chaos of obnoxious PowerBook owners complaining to cute barristas who would subject the internet to even more Livejournal and blog whining.

Re:This could be pretty serious

[System.out.println()]

A dialog box would pop up asking for the root password. At that point one presumes the user knows enough not to type it in.

You would HOPE so.... This has proven to be a very unreliable strategy in the past though.

Re:This could be pretty serious

[CuriHP]

There's really no reason they should care. You're right, a lot of RIT's art students haven't a clue how they're computer works. Same goes for engineering student( not CE, we know everything ;-) ), business students, and just about everyone else in the world. There's no reason these people should need to know how they're computer works anymore than they need to know how the nuclear reactor that gives them electricity works. It's not their field. If they're interested, great. But it should not be a requ

Re:This could be pretty serious

[Bun]

Have you actually talked to some art students lately? Aside from people that are actually doing computer graphics work, their computer skills (in general) are pitiful. Having a Mac does not help this - in fact, it gives them even less incentive to actually learn how their computer works beyond "double-click the cute little icon to open IE/AIM/Photoshop/etc.".

This is a problem, why? They are learning art, not computer science. They are ARTISTS learning about how to create ART, using the computer as a tool (or perhaps toolbox). This art is not some excuse for these students to hone up on their computer skills and become some sort of pseudo computer geek that would appear to be more acceptable to you.

Poorly thought out, badly written sensationalism.

[Raindance]

I won't say that maybe Apple isn't doing all it could on security holes- I will mention that I've never heard of a mac worm, a root exploit that's actually been carried out against a mac, and so forth. But maybe there's some sort of story about Apple being a little behind on patches occasionally.

However, with all due respect to Techworld and the author, this is really a pathetic attempt at a story. Biases half-truths, no principle of charity (regardless of Apple's good record of *actual* security exploits- not the whole story, but a major part of it) with a comparison to Windows security where somehow Microsoft comes out on top, no hard figures, a poor understanding of security as a whole, and, though it may be a low blow, not very good prose (it seems rushed- i.e. one statement is "Apple's half-hearted effort to these holes can be found here." There's really no proof (hard or soft) for any of the assertions in the article.

In conclusion, there's really really nothing to see here.

RD

Re:Poorly thought out, badly written sensationalis

[mst76]

> I will mention that I've never heard of a mac worm, a root exploit that's actually been carried out against a mac, and so forth.

Now you're mixing two different things. First, a worm on the scale of blaster/sasser is not likely to happen soon on a Mac, if you look at how they spread: they just attack random IP adresses. Guess how often they'll hit a Mac. Spreading a Mac worm this way will be quite slow. The problem is mostly single root exploits. A remotely rooted Mac is possible, but unless it's a high profile site, how would you know about it? Do you think I'll make the news if my iBook gets rooted? Check this thread [slashdot.org]: you can get remotely rooted if AFS is on (meaning if you turned on Personal File Sharing). The lesson: don't let your guard down just because you're not running Windows.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Where's the evidence???

[malchus842]

I read the article - I can't believe that the editors (are there any?) let this article see the light of day. Sure, there are security holes in Mac OS. It's a given that any OS has some kind of bug or flaw that, when properly exploited, will cause a DOS, crash or improper security. But this author is speculating (or, using speculation as source material).

Any OS based on a solid Unix core (Darwin, Linux, AIX) is going to be much more secure than any Windows kernel - at least at this point. It remains to be seen if Microsoft can build a reliable, secure kernel.

Oh, and by the way, how many flaws, and how bad are they, are in Linux and Mac OS compared to windows? Having administered global networks of >1000 Windows workstations and servers, I'll take a similarly sized Linux network ANY day, if security is paramount.

Re:Where's the evidence???

[System.out.println()]

I can't believe that the editors (are there any?) let this article see the light of day.

The story got mentioned on Slasdhot, MyAppleMenu, and Spymac... it's gotten plenty of coverage. I never never that site existed until this article. Its sole purpose, I believe, was to get Slashdotted.

And by the way, Apple is dying. ;)

Re:Where's the evidence???

[lakeesis]

I think it's even more disturbing that the author doesn't seem to have a problem with the use of only one source to back up what is a pretty wide-ranging assertion --> security company A says that apple has big flaws, so apple must have BIG FLAWS! OMG! The sky is falling!! -- instead of relying on a collection of different security company opinions to base her assertions.

Stepping back from the apple/*nix/Windows flame wars, the article itself seems subject to the very thing it attempts to criticize - a lack of any sort of depth of information.

--

If we do not do what we must do, what we must do does not get done.

Re:Where's the evidence???

[SLot]

Can you name a single Windows flaw that was in the kernel?

http://www.net-security.org/vuln.php?id=3401
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CAN-2003-0112

I don't think Microsoft has ever released a patch to the Windows kernel via Windows Update. Can anyone confirm this?

http://www.microsoft.com/technet/security/bulletin /MS03-013.mspx

Google is your friend [google.com].

Re:Where's the evidence???

[Foolhardy]

That vulnerability requires the SeDebugPrivilege in order to exploit. It is normally (default) only given to members of the Administrators group. If a program is running as admin, then it is already a huge security hole. See http://www.securityfocus.com/archive/1/354392 [securityfocus.com].

Re:Where's the evidence???

[evilviper]

You can bash Microsoft's userland applications (RPC in particular!) as much as you want, but their kernel is extremely well-written.

How about we start bashing you as making completely stupid and baseless claims... It took me a whole 10 seconds to find NUMEROUS Microsoft Kernel exploits. And this is only a partial list:

XP:
http://www.securityfocus.com/bid/9694

NT4/2000/XP:
http://www.securityfocus.com/bid/7370
http://www.securityfocus.com/bid/3478
http://www.securityfocus.com/bid/4426

2000:
http://www.securityfocus.com/bid/6766
http://www.securityfocus.com/bid/8081

NT4/2000:
http://www.securityfocus.com/bid/10117
http://www.securityfocus.com/bid/1745
http://www.securityfocus.com/bid/1743

Now, that's plenty of kernel exploits, which proves your claim was moronic in the first place. But I digress.

I should have included a ton more, by all means, because of the way Microsoft designed their kernel. Just about every major program, although not "the kernel" is tied into the kernel in such a way that they should be considered part of it. Just look at securityfocus and go through all the exploits where regular programs are exploited to overwrite kernel memory. Frankly, I'd say Internet Explorer might well be part of kernel.

Re:Where's the evidence???

[evilviper]

So, in the three years that XP has been out, it has been affected by four kernel veulnerabilities.

What the hell is this, and idiot convention???

First off, I listed FOUR, count 'em, 4 exploits that affect XP. Second, I clearly said, in no uncertain terms, that this was a quickly-compiled, partial list. I listed less than half the Microsoft kernel exploits my quick search found.

RPC is not any more a part of the kernel than SSH is on Linux.

How about the 'Client Server Run-time Subsystem'? How about Netbios? How about the Virtual DOS Machine (VDM)?

Windows doesn't just have the basic drivers in it's kernel, it has a lot more complicated cruft in there too.

IE is definately *NOT* a part of the kernel.

Of course not, I was being facetious.

IE runs in *userspace*, and it is a seperate executable.

The program iexplore.exe is run in userspace, but the majority of the functions of the browser are not in the program, but in the OS itself. It is certainly not a solely user-space program.

The simple fact is that most flaws in XP are *not* from the kernel.

Statistically true, but completely irrelivant. If programs like OpenSSH were made far less securely, Unix systems would have a far lower percentage of kernel flaws. The fact that Windows system security is crap should not be used to disregard the Windows Kernel problems, after all, it's the kernel that this thread is all about.

Re:Where's the evidence???

[zenpiglet]

In general you have a point, the Windows kernel is way more stable than stuff like IE, Explorer, Office, etc, but there are still fixes issued for it.

For example, the recent MS04-011 [microsoft.com] fix which patches the vulnerability exploited by Sasser actually updates the kernel. If you look in the list of updated files you'll see "ntoskrnl.exe", "ntkrnlpa.exe", etc amongst some other critical system files (such as Winlogon.exe, Lsass.exe, etc)

If you bother looking there are many other fixes that update the kernel, t

Patches. Oooo. How scary.

[ebbomega]

So, Apple is half-hearted about security vulnerabilities because they released a bunch of patches? I fail to see how this is in any way a bad thing. Releasing information about exploits in a closed-source system is kinda stupid. At least Apple is patching these things before they become a problem.

On the most part though, it's a lot easier to administrate a *nix system and keep it secure than it is to do so with a Windows system. It all, for me, comes down to the root/user system. You have a root that you don't use normal stuff for, and so therefore it's a lot more difficult to place undetectable things on a computer on the basis that the only places someone with user access to your comp has is in user-defined places. Namely, /tmp, ~, and anywhere else the user decides to place low restrictions for themselves (say, for me, my /filez partition).

As much as people want to bitch about how "insecure" *nix systems are, frankly, they're just better designed from a coding perspective than Windows. Windows seems to have been spending a lot of its time playing catchup with features, and now they're feeling the brunt of not practicing efficient coding, and the result is going to be Longhorn (supposedly... I don't know how many times I've heard the "The Next Windows is going to be better" argument... pretty much since 3.1), which is, in effect, a major overhaul and an attempt to make Microsoft's Station Wagons a bit more like BeOS' Batmobiles.... but it seems like it's more likely to become a 12-cylander Viper with the amount of resources they're claiming it's going to need to consume.

I'm happy with my fuel efficient tank that'll work on any road, thank you very much.

(Apologies to Neal Stephenson for borrowing the metaphor [spack.org])

Wishing for a way to mod "journalists" as trolls..

[mike_lynn]

Does this guy even read the things he's linked to? Specifically the eEye Quicktime exploit page which mentions: "Vendor Status: Apple has released a patch for this vulnerability. The patch is available via the Updates section of the affected applications. This vulnerability has been assigned the CVE identifier CAN-2004-0431."

And on the AFP hole, Apple released a patch the same day they were told about the problem. Talk about turnaround time and microscopic exploit windows!

I think this guy just wants people to get riled up about Apple. All I've gotten pissed off about is him. Thanks a bunch, a**hole.

Re:Wishing for a way to mod "journalists" as troll

[CalTrumpet]

Apple didn't develop the patch on one day. @stake and Eeye follow responsible disclosure policies. Apple has known about these problems for weeks, and the announcements were timed to follow the patches.

Apple is hiding the fact that this is a REMOTE ROOT exploit in Apple developed code. There have been issues before, but they have come from external projects, like OpenSSL and Apache. This is a huge deal, and if Microsoft understated the importance of a patch like this, Slashdotters would be all over them.

Microsoft's experience with this has made them too sensitive. Everything is "critical" now, which makes it hard for SysAdmins of hundreds of machines to tell the difference between "change window" critical and "shutdown the site and patch all night" critical.

I couldn't pass this up, folks...

[revolvement]

...an "Apple", with "holes" in it, which could be exploited by "Worms"...


Well, I thought it was funny, at least.

Apple knows its audience

[Reverberant]

A comment in response to the Scobleizer [weblogs.com] blog said it best:

Eh, I think @stake is just whining. The security update on the apple site is written for consumers, not security experts. The knowledgebase article: http://docs.info.apple.com/article.html?artnum=617 98 [apple.com] clearly lists the CAN number. Plugging in that CAN number into google gets me straight to the @stake advisory here: http://www.atstake.com/research/advisories/2004/a0 50304-1.txt [atstake.com]

Personally, I don't think apple is trying to hide anything, they are just assuming that calling it a "a pre-authentication, remotely exploitable stack buffer overflow" would confuse consumers. The knowledgebase article contains all the info a technical person would need to find out more.

Speaking of "full disclosure" - the criticism came from @stake, which is a vendor to Microsoft and fired one of their employees for criticizing Microsoft in a report. :)

moot

[jdunlevy]

Not only does the article [techworld.com] offer only very little in the way of evidence, but the whole point of the article appears moot. My favorite quote at http://secunia.com/advisories/11539 [secunia.com] (linked from the article):

"Solution:
Apply Security Update 2004-05-03."


(The article is dated "04 May 2004")

About time the cat was belled

[Anthony]

A colleague submitted a bunch of local exploit reports to Apple months ago with no reasonable response. I certainly don't read mail on my iBook.

So why was this posted then?

[kiwioddBall]

If an article is written that makes an assertion, and then completely fails to back up that assertion, then it is fairly likely that the article is not worth reading and is full of falsehoods.

Don't publicize such articles by posting them on Slashdot.

Re:So why was this posted then?

[blackmonday]

There lots of people out there who don't know what you know. Techworld, sounds so ... official, it must be true! I was trying to expose a BS article without explicitly calling it that. I'm glad we're debunking it.

Clarification...

[vikingshelmut]

I find it humorous that it is stated Apple released 5 security patches for OS X, when in effect they released one security patch for different flavors of OS X. In all cases this is the same patch for 10.2, 10.3, and both server variants.
Considering Apple releases one security patch every month or two, I would hardly consider that as evidence of weak security policys.
How many different patches were released for XP within the last 6 months compared to Apple? I thought so...

Black Cadillacs

[Graymalkin]

It is really nice of TechWorld to let companies write their "articles" for them. This article is complete and utter tripe. I think this is quite a bit worse than the expose from Intego and their inane little "trojan horse". None of the outlined exploits went unpatched for any significant period of time, I downloaded the security updates that cleared up the problems just last week in fact. They're also not the sort of exploits that make Sasser and Blaster look like little nips.

Looking through Secunia's website - who I'd never heard of before reading this article HINT HINT - it appears as if Apple patched the very exploits the TechWorld article is harping on. This quote seems to have been blown way out of preportion by Kieren McCarthy:

This conclusion is based on the fact that Apple merely describes vulnerability 3 as an attempt to "improve the handling of long passwords". However, according to @stake, the vulnerability can in fact be exploited to compromise a vulnerable system.

He turned that quote into a slew of accusations about Apple being unresponsive over exploits and bugs. Man they're so unresponsive they provided me with a free security update not but a few days ago! Damn that Apple and their unresponsiveness! Maybe they'll release Quicktime 6.5.2 to unfix the problem they fixed of malformed Quicktime files crashing QT with the 6.5.1 update. I'm sure there are some real security exploits in OSX that are something to actually worry about. The ones outlined in this article...not so much.

Apple isn't particularly good at the patching game

[SilentChris]

While Apple seems to be patching fairly regularly, the last security update (the group of 4) was a little lacking in that it offered no explanations. Microsoft (which has gotten good at revealing weaknesses) at least gives a full technical explanation, often right down to the files affected. As I work in IT, I'm often left installing patches with Apple with no clue what they're doing under the hood (a bad situation to be in, but worse if we didn't patch at all). Fortunately, Mac users are a very small minority at my company. Also, the guys who's putting together some of the patches seem to be falling asleep at the wheel. The last Quicktime upgrade (33 MB) apparently include 18 MB of the Quicktime logo for each of language it supports: Not So Quickthinking on this page [tripod.com]. That's just lazy work.

Re:Apple isn't particularly good at the patching g

[laird]

"While Apple seems to be patching fairly regularly, the last security update (the group of 4) was a little lacking in that it offered no explanations ... As I work in IT, I'm often left installing patches with Apple with no clue what they're doing under the hood"

Apple's description of the patch was rather terse (AppleFileServer: Fixes CAN-2004-0430 to improve the handling of long passwords. Credit to Dave G. from @stake for reporting this issue."), but it provides the reference (CAN-2004-0430) that provides full details. Admittedly, this did require a google search, or reading the usual advisory lists. But it's certainly not hidden from anyone who wants the detail.

Attack story

[Penguinshit]

Man, I haven't read such an obviously antagonistic bit of tripe like that in a long time. Mentioning 5 possible exploits which all require default-off services to be enabled, only one of which could lead to a system-wide compromise under 99% of normal circumstances, then calling "Sasser" trivial in comparison (sorry.. "a blip") is not only completely incorrect but is irresponsible journalism.

The AFS vulnerability, which is the only process in the whole list which runs under root privs, would require someone be running AFS (the Apple equiv of NFS) over the Internet. It has been known for a very long time that NFS is *ONLY* for internal trusted networks. AFS is turned off by default on Macs, and the vast majority of users (certainly almost all home users) would never need to enable it.

The Quicktime vuln would only affect files owned by the executing user. Certainly a pain in the ass, but not fatal or prone to "zombification" of your computer like Sasser.

The Apache vulns, IIRC, are of the DOS type (one is a memory leak condition). Irritating, but not critical, unlike Sasser.

Kieren McCarthy should be ashamed of himself for writing such a disingenuous load of crap as that article. Microsoft's history of disclosure and cooperation with security research firms is ** FAR ** from unblemished.

Wrong target

[argent]

We can add that the "trojan" they refer to requires that the file be embedded in an apple-specific disk image format and can not be triggered by a normal download... and anyone in a position to convince someone to run the "trojan" has plenty of other avenues of attack.

And that's the real problem I wish Apple would catch on to.

The biggest security problem in Windows is one that most people, and most "official" security announcement sites, don't even pay attention to... and that is the tight integration bet

Nice propaganda

[mabu]

With all due respect, this is much ado about nothing. Let's examine some of the claims:

* Some older vulnerabilities in Apache 2 can be exploited by malicious people to inject malicious characters into log files and cause a DoS

Who is running Apache 2? Are most OS X users running their own web server in the first place? This isn't an Apple issue. Anyone who is running Apache, which includes all flavors of Unix as well as Windows has the same issues, but of those, the 2.x tree?? A tiny minority probably not even worth mentioning. This isn't necessarily Apple's responsibility unless they've branded Apache 2 and offered it as some core feature.

* Two vulnerabilities in the IPSec implementation can be exploited by malicious people to conduct MitM attacks (Man-in-the-Middle), establish unauthorised connections, or cause a DoS.

Again, this is an OpenSSL issue, not an Apple issue, and it has nothing specifically to do with Apple. The circumstances under which this exploit would be taken advantage of are pretty limited. That's not to say any of these issues shouldn't be addressed, and maybe Apple should more accurately call attention to these vulnerabilities but they aren't really the issues justified by the FUD being spewed.

* A vulnerability within AppleFileServer can be exploited by malicious people to compromise a vulnerable system.

Ok, this may be ONE issue so far that is attributable to Apple.

* An unspecified vulnerability exists within the CoreFoundation when handling environment variables. This may potentially be a privilege escalation vulnerability. This has not been confirmed, though.

WTF? An "unspecified vulnerability" that "has not been confirmed"? Did the lawyers from SCO write this article?

* An unspecified vulnerability exists within RAdmin when handling large requests. This may potentially be a system compromise issue. This has not been confirmed, though.

More unconfirmed vulnerabilities? Nice FUD.

I don't talk about my heart condition either

[amichalo]

I dont' spend much time talking about my heart condition, so when people ask me about it, I give them odd looks, explain it away and generally dismiss it.

Mind you, I don't have a heart condition, or at least, not one any doctor has identified. I guess I *could* have one and just don't know it. Sure I do some of the things that could lead to a heart condition. Don't smoke but do drink. Don't eat fast food but do enjoy butter on my baked potato, that sort of thing.

I think that this journalist is trying to spread FUD about the Apple dieing of a heart condition it doesn't have.

Is Apple Uncommunicative?

[allgood2]

I read this article and thought it utter FUD. First the guy asserts that Mac OS X is rifed with security holes, when really compared to Windows there just aren't that many. But it seemed his real complaint is that not a lot of people are talking about the security holes. I mean, in all honesty, why would Apple talk about the security holes, unless they were so plagued by them that consumers were continously calling up complaining, there really is no reason to talk about a security hole.

Investigate it, acknowledge it, and patch it-- that's what I see as the typical course of action, even for Microsoft, and Apple does this reasonablly well. In fact, most of my knowledge about the various Apple related security holes comes directly from Apple in their knowledge-base articles related to the various security patches. It's only randomly that I hear about a security hole that will also effect Apple from a third party source, before I hear it from Apple. But I'll admit to most of my security subscriptions tend to cater to the PC, for obvious reasons.

Also, it seems to me that Apple spends a fair amount of time patching security holes in the various open source solutions its using/tying in with Mac OS X. Which means that technically many of these security holes are also effecting Linux, and Unix machines as well. Like the security update from yesterday or the day before address issues in Apache, IPSec, OpenSSL, and CUPS.

The guy mentions the QuickTime flaw, which was patched weeks ago by Apple, per normal, in a quite automated QuickTime update. He then also mentions that "trojan" that never was. Basically a proof of concept idea that was published, but works technically not that much differently on a Windows machine. Basically, someone can change the icon of an application to that of an MP3 file, and run code when double-clicked. Did anyone besides Intego consider this a big deal, even Symantec scoffed at it, and scolded Intego, though they did duly post a low level security warning.

The truth is, to my knowledge Apple doesn't rate security updates. An update is either a normal bug fix or feature addition, or its a security update. Apple expects all its users to Apple each of their security patches, and to the best of my knowledge has never used a security patch to ship in unwanted software or system changes. So why complain that Apple hasn't called the security updates a "critical" security update. The knowledge base typically includes who original posted the hole/flaw, and the item number, so you can go read the details yourself, and look at the rating attribute.

Blah, blah, blah...isn't this just more of I'm looking, scraping, scrouning for something bad to say about Apple security. I guess, I'd be more forgiving, if the article actual focused in on the various security issues, as opposed to chastising Apple for what, not taking out a press release about them?

come snipe with me come snipe come snipe away!

[MrLint]

Lets u begin what 2 of those 5 'highly critical' advisories, according to that linked page haven't been confirmed yet. One does indeed wonder that if Apple is allegedly not taking them seriously, and this reporting place is, why are they not in fact confirmed. Perhaps we can argue just as well that Secunia is doing a 'half-hearted' job at testing.

Ok now see how one can go off half cocked? this is the statement from McCarthy " Apple explained that it was "aware" of a Trojan horse that could be used to compromise its systems and was investigating it, but refused to say any more"

Im not really sure what more one would want them to say? Perhaps "OH MY GOD THIS IS A DISASTER!" Well clearly its not. But if you want to hype it for an article sure whatever. Perhaps you want want to know exactly when it'll be fixed. Good let them give you some fictional date that they makeup before they have actually investigated it. But hey sure you can hype in your article.

To be annoyingly pedantic, apache isnt part of the OS. Additionally most people dont use the (Apache) built in web server. I should also mention that none of the 3 articles linked about the Apache problem are listed as 'highly critical' anyway. (2 moderate and one 'less')

IPsec ones.. both moderate. So this leaves us with 2 unconfirmed, 2 moderates, and 1 left of privilege escalation. I cant say much about it as I dont know anymore than the rather curt descriptions.

The really best part is is what is claimed to be "Apple's half-hearted effort to these holes" Links to a page on a security update for them. But hey if you need to hyper that a fix means nothing is being done because you have an article deadline.. then sounds like you are doing a "half hearted" job.

Let's Do Some Research

[joebolte]

The last line of the article is "Apple's half-hearted effort to [patch] these holes can be found here. While Secunia's full rundown on the problems can be found here."

The first link goes to a very complete page that details Apple's security updates back to Sept 2003. It looks fully-hearted to me. This page states "For the protection of our customers, Apple does not disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases are available." Sounds reasonable.

The second link details a security notice that was released on May Fourth with some security issues. The fix is to dl the patch Apple released on the third.

Nothing to see here. This guy is taking a non-issue, spreading around some FUD and hoping that soemone will bite.

Apple is scary to criticize

[Anonymous Coward]

I'm actually a moderately well known individual in the security community, but I'm posting this anonymously because, well, the subject line (and, I suppose, Author field).

I've been an Apple user, off and on, since the IIgs days. There's always been a good amount of zealotry about the product line, but what can you say? The gear is pretty good, and has a good reputation. Unfortunately, no small amount of that reputation is maintained through absolutely vociferous defense of any arbitrary behavior.

I'm not just talking about buffer overflows. When Apple's DHCP implementation made it trivial for anyone on the LAN (even a coffee shop wireless network) to remotely take full control of the machine [carrel.org], the response was not one of confident correction but defensive redefinition -- "It's not a bug, it's a feature, you unintelligent carbon rod." And when Apple became the first operating system ever to be exploitable via its generic text forms [macslash.org] -- the response really was yet another circle-the-wagons-and-apply-the-double-standard. And in case you don't believe me about the obsessive, O'Reillyian hijinks going on here -- look at the Boingboing [boingboing.net] response to what's just an open-and-shut data/executable confusion vulnerability. "OS9 is vulnerable too" is not a defense. "But you need to GET the file first" isn't a defense either -- that is , um, sort of the point of a Trojan horse. "An antivirus company came up with this" -- no way, you mean antivirus companies actually try to find security problems? This type of alternation between non-sequitor and ad-hominem is par for course. And don't say it's always this way -- there's no other operating system vendor who either themselves or through their users reacts to security risks like this. Not Microsoft, not the various Linux distributors (who really are getting hammered), not Sun or SGI, and certainly not Theo or his security-obsessed users. Everyone else seems to have realized it's safe to openly acknowledge and repair faults. Apple is the exception. "Like pulling teeth" comes to mind.

People, this is technology, not politics, and I don't even like this kind of behavior in politics. The more apologism there is for Apple failures -- and yes, even the eternally scrappy upstart from Cupertino can screw up, just look at your Powerbook monitors -- the less likely we are to actually see what ultimately we all want, which is correctly behaving technology.

That's all I have to say on this.

47Ronin wrote this and almost everyone ignored it

[Negativeions101]

Perspective: people are surprised by all the security updates that Apple releases. Fact: By default, NONE of the exploitable holes are available by DEFAULT out of the box. There are ZERO services running, so no remote vulnerabilities. ...which is a ton more secure than a Windows PC out of the box (and some linux boxes). The only time the Mac OS X system can be compromised is if the exploitable services are turned on. Most of these are exploits to open-source software such as Apache, OpenSSL, CUPS. Recently, AFS was patched and that isn't even running when you turn on a Mac. I think this sums up the arguement nicely.... so why were people still ranting about BS after 47Ronin posted it?

Less used features vs. Core problems

[Schapht]

It seems to me that all these holes are in systems that the average OS X user wouldn't use very often if at all. I'm a developer using Mac OS X, and I'm not even effected by most of these.

1. as far as I can tell, OS X uses Apache 1, not 2
   
2. I don't use IPSec, but some people might. I would bet the percentage is small
   
3. Most people use Samba anymore because it's not as proprietary as AFS
   
4. most users don't allow remote logins (escalation wouldn't be a problem)
   
5. not sure about RAdmin
   

My point being that, first off Apple might want to be quiet about it because the majority isn't effected, and second the vunerabilities aren't nearly integral to the OS as most windows vulnerabilities are.

My apologies if this is redundant.

Nessus and nmap tell a much different story

[mclaincausey]

OOTB, you will find OS X much more secure than the default configuration of almost any Windows or Linux boxen. If you further configure your OS X box to be a hair's breadth shy of paranoia, you will find that NO Windows box can even enter the conversation about security by comparison.

This is FUD. Apple doesn't owe it to their customers to explain security holes. Why would they weaken their position so? Just keep quiet about it and fix it. And most of the security flaws of late were in third party packages that Apple didn't write.

The article has a sensationalist headline and it says that the OS X security holes, which never made it beyond proof-of-concept, because they were patched quickly, are more dramatic than SASSER, which has cost millions of dollars and possibly a few lives by knocking out banks and other financial institutions and the British Coast Guard. Holes that were never exploited and that aren't even exposed OOTB are worse than SASSER? Doesn't this fact prove this to be an agenda-driven article?

If not, then consider that @Stake, one of the cited sources, is Microsoft-owned and notirious for self-aggrandizing FUD designed to promote their services.

The reminds me of the FUD about an MP3 "trojan horse" vulnerability, which was blown way out of proportion as well. Such a theoretical virus was billed as an OS X vulnerability when it would in fact work in Classic as well. They tried to make a big deal about the fact that it was no longer safe to just double click on some file you downloaded. When was it ever?

Microsoft toadies

[revscat]

From the article:

Secunia has given the series of patches a "highly critical" rating, which it explained was due to the Apple's dismissive attitude to one of the holes. Secunia described a vulnerability within AppleFileServer that allows for a buffer overflow as an attempt to "improve the handling of long passwords", but security specialists @stake warned that it could lead to the full system access.

These were the same guys who fired one of their employees because they had the temerity to say something bad and substantial about Microsoft.

Link [google.com].

Pretty FUDdy article to me.

Here's what I'd like to see...

[Insolence2003]

Instead of "claiming" that OS-X has a horrible security issue, with practically no proof to back that statement up, I'd really LOVE to see a OS-X worm. In-fact, I would put up some money to the author of such a worm. Because up to this point, there has still been 0 serious security problems in OS-X.

I do tech support all over So. CA, for mac and pc clients. And I have made 10x as much money from running to the PC client's LAN and ridding it of worms, spyware, and such, than to my Macintosh clients.

I've been using OS-X since the original OS-X Public Beta, and have proudly upgraded ever since to the latest version (10.3.3). I seriously laugh at anyone that attempts to dog on OS-X's security (well, lack-thereof). I am proud to be able to take my 12" Powerbook G4 anywhere, and fix/troubleshoot anyone's computer or network without worrying about getting a virus, or worm, or anything.

I easily backup friends and clients PC's through firewire and OS-X (w/ NTFS Addin for Pre OS-X 10.2) and reinstall their system in a heartbeat, without worrying about getting a boot virus, or prefetch virus (what a pain!) or a random piece of sh*t adware software.

I am proud to own a Mac. And yes... I really do LAUGH in the face of anyone attempting to put down the Mac, when their reasons are 99% crap. (unless of course they are talking about playing games!)

In conclusion, I really would love to see a "outbreak" of a virus for OS-X. This happens DAILY for Windows. This event might actually let some reporters report that OS-X isn't so secure. But... until that day my friends... read 'em and weep.

Viva la OS-X!
- Insolence (Mac User/Evangelist)

Re:security holes on a BSD-based system???

[Kenja]

"Gee, and after all we've been told about Windows being the only insecure platform.... who'da thunk it?"

Windows is insecure. So is MacOS X, Linux, BSD, Solaris etc if run by an incompetent admin. One system I had to fix was a hardened install of Solaris that was running VNC server without a password because the local admin was too lazy to walk over to a terminal to type commands. However, by the same token. Windows, MacOS X, Linux, BSD, Solaris etc are all secure if run by an admin that knows what they are doing.

Re:security holes on a BSD-based system???

[BFaucet]

Hear hear! Well spoken, Bruce!

I think what really matters is how secure an OS is when installed with the defaults. Windows is completely open... At least all the Linux installers I've used asks the user to create a root username and pass, then tells the user that they shouldn't usually log in as root and gets them to create another user.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Macs may have security holes, but...

[dfj225]

What I have always wondered is if there are groups of people who actively try to write viruses for OS X. I would imagine that there has to be at least one person who has tried to do so, even if it is just as a proof of concept and not intended to be released in the wild. At least the idea of being the first person to write a majorly destructive virus for OS X must be appealing to the type of person that creates Windows viruses for fame. I think that answers to questions like these are important because it relates to how we view the security of the system. Along the lines you mentioned, how can people say that OS X has very tight security if it has never been put to the test in the wild? That is like saying my home is ultra secure because it has never been broken into, when, in reality, I leave my doors unlocked and all my windows open.

The difference here

[mcc]

Is that between the two companies you are making reference to:

• One is simply very quiet about security period.
• The other one makes a huge deal constantly about how they are improving their security, how they've changed their ways this time really and they're sending all their programmers to a 4-week course on how to not write buffer overflows, and windows is the most secure OS more than any of the competitors, etc.... while simultaneously trying to keep things as hushhush as they practically can about vulner

Re:Virus Scanner Sales

[Caradoc]

Why would I want to buy a virus scanner?

ClamAV, among others, compiles and runs just fine under Mac OS X...

Re:Small marketshare myth

[BCoates]

The number of vulnerable machines strongly affects the time it takes for a worm to spread.

Consider the extreme cases:

If there are two vulnerable machines, and the first one is infected by hand, it will take on average 2^32/2 or about 2 billion tries to find the other one.

If every IP address has a different infectable machine behind it, the work gets parallelized and a sufficently smart worm could infect every machine in the time it takes to do 32 infections. Even a less clever worm that probes randomly (thus duplicating a lot of effort) would infect nearly every machine after a few hundred infection-cycles.