Forgot your password?
typodupeerror
Security Businesses Apple

Apple Uncommunicative About Security Holes 573

Posted by pudge
from the raising-you-one-worm dept.
blackmonday writes "Kieren McCarthy of Techworld argues that Mac OS X is rife with security holes, and that Apple is doing a 'half-hearted' job of patching their operating system security holes, and has a 'strange habit of pretending a big problem is of no significance.' As a Mac user I find this an intriguing article in light of the Sasser Worm and its recent variants." Despite the article's assertions, no evidence of widespread security problems, or lack of effort to solve them, is offered. The only real question is Apple's lack of communication with the public in the nature of the problems.
This discussion has been archived. No new comments can be posted.

Apple Uncommunicative About Security Holes

Comments Filter:
  • Reasons why... (Score:5, Informative)

    by BWJones (18351) * on Wednesday May 05, 2004 @06:52PM (#9068472) Homepage Journal
    Well, let's see: If Apple has been uncommunicative about the presence (or absence) of any security holes, it is simply because they would rather not publicize the presence of particular holes. It's good policy for their OS while also maintaining an open source presence with Darwin that allows for public scrutiny. It should also be noted that Apple is also working towards approval of certain security ratings from assorted groups and governmental agencies, but they are not publicizing that either. They would rather maintain a low profile and have good reasons for doing so. After all, the core of OS X, the NeXT OS has a long history of a presence in intelligence and security circles (NSA, CIA, FBI etc...).

    I read the linked article and was absolutely stunned at how superficial the evidence was given the claims being made. If one is going to make such statements, one would think there would be a little more substance, but hey the article certainly has garnered some attention, so perhaps that was the sole goal of the author? Or if one were likely to believe in conspiracies, one might guess that the author was put up to writing the article by a potential competitor? In science, we have to publish "disclosures" that establish corporate or political linkages. Perhaps it is time for the news media to do the same?

    • Re:Reasons why... (Score:5, Interesting)

      by Anonymous Coward on Wednesday May 05, 2004 @06:54PM (#9068495)
      If Apple has been uncommunicative about the presence (or absence) of any security holes, it is simply because they would rather not publicize the presence of particular holes.
      Because we all know Security by Obscurity is the best approach. Funny, Microsoft gets attacked at slashdot for taking too long to patch an issue, and Apple gets a free pass for ignoring them?
      • Re:Reasons why... (Score:5, Informative)

        by talaper (529106) * on Wednesday May 05, 2004 @07:01PM (#9068551)
        Funny, Microsoft gets attacked at slashdot for taking too long to patch an issue, and Apple gets a free pass for ignoring them?

        you're statement is a bit misleading - Apple doesn't ignore security holes, they fix them quickly and quietly before anybody realizes where they are. that's a BIG difference.
        • by Anonymous Coward on Wednesday May 05, 2004 @07:06PM (#9068618)
          You are correct sir! It's not like Microsoft released the patch for the Welchia worm a month before the worms release or anything!

          • update mechanisms (Score:5, Informative)

            by Onan (25162) on Wednesday May 05, 2004 @09:36PM (#9069705)
            You're right, it's very often the case that worms and such are exploiting vulnerabilities for which Microsoft issues patches long before. However, there are a few reasons that's the case.

            1) My very-non-expert understanding of Microsoft's update mechanism is that there are several semi-overlapping systems which are relevant, and that some or all of them do not default to running automatically. (I've never used Windows myself, so it's entirely possible that I'm mistaken about this. It's the impression I've acquired after listening to many Windows users.)

            Contrast this to Apple's Software Update tool, which defaults to checking for updates once a week, and handles all hardware and firmware from Apple. It requires explicit permission from the user to perform upgrades, but it does take the liberty of downloading "important" updates before requesting a final go-ahead, making it as painless as possible.

            2) Microsoft's patches have a pretty high incidence of causing problems for previously-working systems. My understanding is that this is often related to a very inflexible shared library system which encourages third-party developers to overwrite standard system DLLs with their own versions left and right, predictably causing problems upon future update.

            While it is absolutely the case that updates from Apple occasionally cause problems, it seems to be relatively rare. I personally have no qualms about simply agreeing immediately to any update Apple offers me; I've been doing so for five years now, and I haven't had any cause to regret it yet.

            So, yes, a very high percentage of systems out there are lacking patches which Microsoft has made available. But there are still some senses in which Microsoft is very responsible for that being the case.
            • Re:update mechanisms (Score:5, Informative)

              by sjlutz (540312) on Wednesday May 05, 2004 @10:45PM (#9070099)
              I've seen Windows and Microsoft bashed enough on Slashdot, and sometimes for good reasons, but I have to say that the parent post is completely wrong.

              1) The Windows Update is installed by default, and (annoyingly) pops up when using a new computer until you tell it what to do. The options are simple: 1) Enable Windows Update (on by default). a) Notify before downloading, b) Download automatically, but don't install. c) Auto-download, and auto-install at scheduled time. Default is Updates ON, but just to notify.

              2) Yes, in the past there have been a couple windows updates that were not up to par, but they have become much better. The last problem one I remember was about 2 years ago with an Exchange Update (not security related) messing up an existing exchange server. I have yet to have a security update mess anything up, and I run about 100 windows servers. Like any update, I do test on a non-production box (like staging server or development server) before I push to production, but I have yet to have a problem.

              • by Gumph (706694) on Thursday May 06, 2004 @05:09AM (#9071616)
                2) Yes, in the past there have been a couple windows updates that were not up to par, but they have become much better. The last problem one I remember was about 2 years ago with an Exchange Update (not security related)

                Can I just point out the latest issue with MS04-11 (the Sasser worm vuln fix) if you have the files ipsecw2k.sys, imcide.sys and dlttape.sys - (the last one being PRETTY common on corporate servers) instead of your machine rebooting all the time - it will just hang or fill up a CPU to 100%
                Microsoft are now offering a hotfix to one of their patches! priceless!!
            • Re:update mechanisms (Score:5, Informative)

              by TechniMyoko (670009) on Wednesday May 05, 2004 @10:47PM (#9070112) Homepage
              Windows Update is semi automatic. It downloads the patches rated critical, and asks permission to install them.

              As for some patches causing trouble, I seem to remember an update for OSX that neutered the network adapter.

              As for DLL hell, that was cured in XP/2K which keeps multiple versions of DLLs

          • Re:Reasons why... (Score:4, Interesting)

            by gumbi west (610122) on Wednesday May 05, 2004 @10:45PM (#9070091) Journal
            When I had a win2k box, I applied every ding-dong patch and one day the damn thing just stoped working. I had to spend about a day uninstalling back to SP1 before it worked. Then I discovered, adding anything more to that made it crash again (blue screen).

            They may release the patch... but what if your computer is rendered useless by applying it?

        • Re:Reasons why... (Score:5, Insightful)

          by abscondment (672321) on Wednesday May 05, 2004 @08:30PM (#9069293) Homepage
          Security holes in any system will come out more quickly when more people use it. The fact that Apple can (usually) find and fix security holes before they are made publicly known might just stem from the fact that their user base is smaller than Microsoft's and therefore their security holes are more obscure (in terms of publicity, not coding content). The most used product will always have the most exposed flaws. Microsoft simply can't keep up with the number that are exposed; who's to say they same wouldn't be true if Apple was the industry standard? Immunity from errors of this kind can be found in open source type systems, but that's a whole other can of worms.
        • Re:Reasons why... (Score:5, Interesting)

          by prockcore (543967) on Wednesday May 05, 2004 @09:25PM (#9069623)
          Apple doesn't ignore security holes, they fix them quickly and quietly before anybody realizes where they are. that's a BIG difference.

          Not really. If they don't tell the end user that the patch is critical, the end user doesn't install it as quickly as if they had been informed.

          When software update pops up and says there's 50 megs of crap to download and a reboot or two will be required, I definately think twice about it.

          I don't think people on dial up ever patch.. because downloading the 100 megs of updates that both Jaguar, Panther, and XP require has got to be hell.
          • Re:Reasons why... (Score:5, Informative)

            by MO! (13886) on Wednesday May 05, 2004 @09:54PM (#9069820) Homepage
            I don't think people on dial up ever patch.. because downloading the 100 megs of updates that both Jaguar, Panther, and XP require has got to be hell.

            Well you're thinking is impaired and you should therefore refrain from making such grossly inaccurate assumptions.

            Personally, I have 2 Windows 2000 systems, 1 Windows XP laptop, 1 MacOS X Powerbook, and 1 FreeBSD firewall. Not only do I weekly sync the FreeBSD box up via cvs and recompile the Stable source tree, I also patch both Win2k and the Mac as needed via the same 56K dial up. I haven't been hit with any of the Windows worms/viruses, nor any FreeBSD or Mac problems. That's because I run Windows Update nearly every other day, and MacOS X's Software Update at least a few times a week (in case a new patch I've not already heard about is there).

            Yeah, it sucks on dialup - and I frequently let the updates download overnight while I sleep. That's what my cell phone is for - voice conversations. If you're thinking twice about 50MB and you're not limited to dial up, I think you're nuts. I keep all of my systems as up to date as possible. Luckily the XP laptop is for work only, so I can run Windows Update from work with it.

        • Re:Reasons why... (Score:5, Insightful)

          by Cardinal Biggles (6685) on Thursday May 06, 2004 @04:30AM (#9071503)
          Apple doesn't ignore security holes, they fix them quickly and quietly before anybody realizes where they are.

          Quietly, yes, very. Quickly? No.

          If you call a fix for a good ol' buffer overflow a "patch to improve the handling of long passwords" you're being too quiet: people will not be properly motivated to install the patch.

          And doing roll-up patches for old (sometimes very old) issues once a month only does not qualify as quick. Sorry.

          I mean, look at this week's update, all of the issues patched were discovered in 2003.

          Like some others here I am completely astonished that "security by obscurity" is suddenly a good thing when Apple does it. Come on folks, get a grip. Apple isn;t doing this right, don't close your eyes to that simple, obvious fact just because you like them.

      • Re:Reasons why... (Score:5, Insightful)

        by CuriHP (741480) on Wednesday May 05, 2004 @07:07PM (#9068619)
        Security by obscurity is bad as a long term approach. However, it's not necessarilly a bad thing during the day/week/month it takes you to write and test the fix.

        It would be a bad idea to protect your house by trying to keep the fact that your front door's lock is broken a secret. But, it also wouldn't be a good idea to put a giant sign out advertising that fact while you were waiting for the locksmith.
        • Re:Reasons why... (Score:5, Informative)

          by neuroticia (557805) <neuroticia@@@yahoo...com> on Wednesday May 05, 2004 @07:15PM (#9068709) Journal
          Wrong analogy. Your analogy applies more to the single user advertising "I have an unpatched system!"

          It's more along the lines of a Gym realizing that their locksmith put identical locks on every single locker in the locker room. They can say "Oh. Crap. There's a problem, let's tell our users so that they can decide to use an unsecure locker or not." Or they can say "Maybe no one will notice, the locksmith will be here in a couple of hours anyway."

          Still not the perfect analogy, but when you have a large group of people that are operating under the assumption that something is secure, and you don't tell them so that they can take steps to modify their behavior until the security is increased... It's like knowing there's a potential terrorist attack pending, but not telling anyone about it so that they can avoid public areas.

          If there's a vulnurability with something, I prefer to know so that I can avoid a particular action until there is a patch. If I don't know, I go on blissfully unaware and may not even download the patch right away as it becomes available. (Especially since Apple has unusually large patches sometimes.)

          -Sara
          • Re:Reasons why... (Score:4, Interesting)

            by CuriHP (741480) on Wednesday May 05, 2004 @07:21PM (#9068757)
            I'd agree with you for any issue that you can have some control over before the patch becomes available. What I mean is that if you can work around the hole by turning off a certain service or blocking a specific range of ports, then certainly everyone should be made aware of this.
            • Re:Reasons why... (Score:5, Informative)

              by 47Ronin (39566) <(glenn) (at) (47ronin.com)> on Wednesday May 05, 2004 @07:54PM (#9069008) Homepage
              Perspective: people are surprised by all the security updates that Apple releases.

              Fact: By default, NONE of the exploitable holes are available by DEFAULT out of the box. There are ZERO services running, so no remote vulnerabilities. ...which is a ton more secure than a Windows PC out of the box (and some linux boxes). The only time the Mac OS X system can be compromised is if the exploitable services are turned on. Most of these are exploits to open-source software such as Apache, OpenSSL, CUPS. Recently, AFS was patched and that isn't even running when you turn on a Mac.
              • Re:Reasons why... (Score:5, Informative)

                by LostCluster (625375) * on Wednesday May 05, 2004 @09:18PM (#9069586)
                When colleges were opening up this year, there were massive worm problems because unpatched Windows XP computers were coming straight out of the box, and they were discovering access to the Internet during their first bootups. Computers were being exploited within a matter of seconds because there were just so many infected computers. And once a new computer gets hit, it was just one more sending random attacks.

                All of the RPC-flaw worms would have had much smaller impacts if only the people who actually used Remote Proceedure Calls were running it. Simply put, that'd mean next to nobody would be running that service, and therefore there'd be much fewer people at risk, and therefore much fewer people infected, and therefore much longer of a wait time before any given IP address is randomly hit with an attempt.

                Microsoft's learned the moral of this tale. All recently released versions of Windows start with all non-critical services turned off until the user does something to enable them. SP2 will apply this logic retroactively to Windows XP Home, and that'll take care of most home users and college kids. This will greatly lower the odds of Windows ever being hit with worms of this size again...
          • Re:Reasons why... (Score:5, Insightful)

            by sydb (176695) * <<michael> <at> <wd21.co.uk>> on Wednesday May 05, 2004 @07:26PM (#9068805)
            Yes but you're not telling only the owners of the lockers, you're telling everyone walking by the gym too.

            Security through obscurity is wrong and stupid, but so is security through full disclosure. I hate to say it; I love Free Software and I am happier trusting the security of my data to it than I would be trusting anything proprietary, especially Windows. But I can't buy the argument that telling the world about an exploit before anyone has had a chance to patch is a good thing.

            I have no idea how to solve this, it's a fairly deep question, deeper than me just now with a bottle of wine in me.
            • Re:Reasons why... (Score:5, Insightful)

              by wfberg (24378) on Wednesday May 05, 2004 @08:02PM (#9069070)

              Security through obscurity is wrong and stupid, but so is security through full disclosure. I hate to say it; I love Free Software and I am happier trusting the security of my data to it than I would be trusting anything proprietary, especially Windows. But I can't buy the argument that telling the world about an exploit before anyone has had a chance to patch is a good thing.


              You're assuming
              a) that the black-hat community does NOT disseminate vulnerabilities amongst themselves even before the white-hat community does
              b) that patching is the only way to get rid of a vulnerability.

              Case in point wrt b) the Sasser worm is effectively killed by switching on your friendly neighborhood firewall/IP filtering (which is built right in to the affected OSes). You don't even need to switch off a single service (though in many cases only a single service (or daemon) is affected).
            • Re:Reasons why... (Score:4, Insightful)

              by Disevidence (576586) on Wednesday May 05, 2004 @08:51PM (#9069443) Homepage Journal
              With honesty, you let the possibility for the exploit to be used, but you also make people aware of the fact so they can take steps to stop it from ever happening.

              Sweeping it under the carpet until you have a patch ready is ridiculous reasoning. What if the exploit details get leaked, but not published?

              What happens if a black hat comes across it anyway? Then you have an exploit being used that no-one knows about yet.

              Full Disclosure has risks, but it allows for more corrective steps to be taken then waiting for a patch or something similar.
      • by duffbeer703 (177751) * on Wednesday May 05, 2004 @07:11PM (#9068664)
        You obviously don't understand the fact that Steve Jobs is a genius. I once witnessed Steve turn a barrel of rocks into gold bricks. The man is amazing.

        OS X holes aren't problems, but opportunities for Mac users who "Think Different." to explore the creative possibilities of their Mac from a new, unique and artful perspective.

        Apple is a corporation that cares about and nurtures the creative class of our society. "Security" is just another word for mindless oppression by the man.

        Microsoft is just and evil corporation in it for the money, and they put holes in their software to sell more stuff!
      • Re:Reasons why... (Score:5, Interesting)

        by gunnk (463227) <gunnk@@@mail...fpg...unc...edu> on Wednesday May 05, 2004 @07:11PM (#9068665) Homepage
        Because we all know Security by Obscurity is the best approach. Funny, Microsoft gets attacked at slashdot for taking too long to patch an issue, and Apple gets a free pass for ignoring them?

        No, that's NOT what is being discussed. Apple tends to patch very quickly and quite regularly. However, the information about exactly what is being patched is usually limited to the programs or processes being patched (Safari, Finder, etc.). The discussion is whether or not Apple should be communicating more completely the nature of the security problems it is fixing.

        As a geek I'd like to know exactly what the problems were, but that's strictly to satisfy my idle curiosity. I have to admit that it may be better that the details aren't published. I can live without the details (i.e.: a buffer overflow in the XYZ module), but others may feel that the exact exploit *should* be announced. Since I don't have access to the rest of the code, I don't see any reason we should be given the details of a particular patch.

        Anyway, the point is that it's not about Apple ignoring or responding to holes: it's Apple's publication of the nature of the holes that is at issue here.

      • Re:Reasons why... (Score:3, Insightful)

        by Anonymous Coward
        uh, the quicktime bug that was "ignored" was patched on 5/3/2004. the article the author linked to says so. i believe the AFP problem was addressed in the same security update. OOPS! better check to see if they've patched the holes before you accuse them of not patching the holes.

        so, after all of the crap people have slung at apple trying to discredit their security, one simple fact still remains: every 3-6 months, there is some worm that does millions of dollars of damage, spreads by getting the windo
      • by Anonymous Coward on Wednesday May 05, 2004 @08:23PM (#9069244)
        Funny, Microsoft gets attacked at slashdot for taking too long to patch an issue, and Apple gets a free pass for ignoring them?

        Well, I dunno, I think it's less that than just that slashdot is naturally reactive. They aren't reacting to Apple at all. They're reacting to the article. And this article is very poorly written. It goes into basically nothing except Apple's presentation in the ASU dialog box of update descriptions, while failing to give any hard data or really any evidence whatsoever as far a whether Apple is taking any amount of time to patch security holes.

        If this guy had actually gathered some sort of hard data that gave an indication of whether Apple actually was taking excessive amounts of time to patch security holes, or whether people weren't installing ASU updates, or Apple was trying actually to hush up security vulnerabilities, I think you'd see a very different reaction. There was one time that Apple took a little bit too long to be reasonable to fix a security hole and when the slashdot story on the subject came out they were rightfully bashed for it. However in the absense of any hard data we're left only with the ability to respond to the article, and well, look at the article.. about the only response possibly is "poorly formulated, poorly researched rant".

        Perhaps a good way to test your theory would be to post to the slashdot front page a really *bad* article attacking Microsoft's security practices and see if people agree with it or if they go "wait, this doesn't make sense".
    • Re:Reasons why... (Score:5, Interesting)

      by daviddennis (10926) <david@amazing.com> on Wednesday May 05, 2004 @06:59PM (#9068533) Homepage
      This is written by a guy who either still writes for the Register, or used to do so. I don't think he's a Microsoft shill, but I think as a journalist he wants stuff to report about, and is probably irked Apple's not feeding him the dope. It's not by accident news is called dope by the press, you know; it's addictive, like food.

      That being said, Apple seems pretty good at sending out frequent security updates when needed, and it's dead easy to keep a system patched. Until I see something escaping into the wild, I'm not going to be too concerned. But I will avoid tempting fate by keeping my system patched.

      D

      • by bonch (38532) on Wednesday May 05, 2004 @07:23PM (#9068779)
        Despite the article's assertions, no evidence of widespread security problems, or lack of effort to solve them, is offered. The only real question is Apple's lack of communication with the public in the nature of the problems.

        I bitch a lot about Slashdot for its biased summaries and viewpoints, but this time I have to applaud it for sounding rational. If only this sort of calm, rational perspective was applied to all the articles posted!

        Just felt like pointing it out. Good job in this instance.
      • Re:Reasons why... (Score:4, Interesting)

        by LostCluster (625375) * on Wednesday May 05, 2004 @08:44PM (#9069401)
        That being said, Apple seems pretty good at sending out frequent security updates when needed, and it's dead easy to keep a system patched. Until I see something escaping into the wild, I'm not going to be too concerned. But I will avoid tempting fate by keeping my system patched.

        When it comes to security holes... publicity is a very bad thing. When a security hole is reported accross the mass media, it sends a wake-up call to hackers. When the patch to fix that security hole is released, it sends another wake-up call.

        By underplaying the importance, and quietly fixing the problem... Apple's trying to say "Please, don't notice that." No, they can't exactly muzzle the press from talking about the hole, but by not answering media questions and by not making loud announcements when they patch holes, they end up making the life of a the media a lot harder... and that just means sometimes the story won't get written. And Apple likes when that happens.

        There's a two-pronged reason for being happy. Of course, Apple's marketing people are happy that their reputation isn't damaged when there's less bad media reports... but also, hackers going after Apple end up getting less information. Afterall, loud mass-media mentions of a hole reveals information to everyone, but the enemy is a subset of everyone, and giving information to the enemy is rarely a good thing.
    • Re:Reasons why... (Score:5, Interesting)

      by Rosyna (80334) on Wednesday May 05, 2004 @07:02PM (#9068568) Homepage
      And FWIW, The Sasser worm seems to ONLY exist because MS fixed an exploit in lsass then immediately documented exactly why it happened, where it happened, and basically how to exploit it.

      What's wrong with just saying, "We fixed an exploit discovered by someone at some company in this component of the operating system." ? Need bugfixes also give information on exactly how to reproduce the bug? Open the farthest right menu so it becomes sticky, move the mouse to the right of that menu in the menu bar (the menu will close), press the right arrow key on the keyboard.
      • Re:Reasons why... (Score:4, Interesting)

        by sydb (176695) * <<michael> <at> <wd21.co.uk>> on Wednesday May 05, 2004 @07:12PM (#9068682)
        There's absolutely nothing wrong with the approach you suggest, and I would also advocate it.

        But there's no point pretending that because you've kept it a secret, no-one's going to find out.

        So you have to be prepared for the worst, even if you don't ask for it.
      • Re:Reasons why... (Score:5, Insightful)

        by DA-MAN (17442) on Wednesday May 05, 2004 @07:26PM (#9068802) Homepage
        And FWIW, The Sasser worm seems to ONLY exist because MS fixed an exploit in lsass then immediately documented exactly why it happened, where it happened, and basically how to exploit it.

        I call bullshit, prove me wrong! How do you know that the person who created the worm didn't have access to this exploit before? Microsoft didn't find that exploit, a third party did, and without the source. What makes you think that only the third party and Microsoft knew about this.

        There have been a great many bugs that I have seen personally, being exploited on IRC months before Microsoft fixed it. Besides even if the worm writer did find out throught he description, it doesn't mean that the descriptions should be removed! The descriptions are there for a reason, if a patch changed a bunch of stuff without saying what it was going to change, I'd be worried as a sysadmin as to whether i'd be able to recover something if it broke. If something goes wacky on a wireless card wpa fix, and your wireless card no longer works you can probably deduce that the patch probably broke your hardware by looking up the last few things that touched anything having ot do with wireless.

        What's wrong with just saying, "We fixed an exploit discovered by someone at some company in this component of the operating system." ? Need bugfixes also give information on exactly how to reproduce the bug? Open the farthest right menu so it becomes sticky, move the mouse to the right of that menu in the menu bar (the menu will close), press the right arrow key on the keyboard.

        Ah so you realize that most exploits or problems are actually discovered by a third party before Microsoft. Isn't that weird, considering that MS is the only one with the source?? That should be throwing up red flags to everyone, I mean most exploitable bugs are found by the maintainers of the packages in the open source world, the people who know the code most intimately. I wonder why the same doesn't hold true for Microsoft. Security through obscurity doesn't work, obviously. Why try to apply further obscurity by not providing relevant info to the sysadmins...
        • Occam's Razor (Score:5, Insightful)

          by Animaether (411575) on Wednesday May 05, 2004 @08:00PM (#9069050) Journal
          How do you know that the person who created the worm didn't have access to this exploit before?


          Apply Occam's Razor.
          What is more likely - that somebody else (assuming the security firm that reported it didn't write Sasser) discovered the flaw, wrote an exploit, and released it within days of Microsoft's detailed report.
          -or-
          Somebody read the detailed report, wrote the exploit, and released it into the wild a few days after reading.

          Hmm. I wonder. %)

          # # #

          That said...I second the idea that there's no good reason to essentially provide the blueprints of either fix or exploit to anybody but the reporting party.
          I know there is some issue with "What if the company gets the report, but doesn't do anything with it ?" - in which case documenting the flaw may be the only way to 'force' a company to fix it. However, it may be more strategic to release bits of the flaw-documentation at a time, so that over time the likeliness of an exploit becomes higher - but only by those with enough knowledge, rather than every script-kiddie on the block. A company would likely (hopefully) provide a fix before a full disclosure of the flaw would be given, understanding that exploits will be released into the wild at some point.
  • by PedanticSpellingTrol (746300) on Wednesday May 05, 2004 @06:53PM (#9068483)
    The whole thrust of the article seems to be "There might be dozens of holes in OSX, how do we know?". Seems making an argument like that, they shouldn't be comparing it to another proprietary system like Windows but instead Linux or *BSD. And then they mention a hole in Apache? WTF? Not Apple's problem.
    • by neuroticia (557805) <neuroticia@@@yahoo...com> on Wednesday May 05, 2004 @07:00PM (#9068545) Journal
      It is if Apple ships with a version of Apache that is exploitable and does not issue an Average-User-Enabled (ie: no compiling necessary) patch within a decent amount of time. Apple including server software with an OS that goes out to people who have no idea what a server is, or the impact of running one.. does make it their problem.
    • by HeghmoH (13204) on Wednesday May 05, 2004 @07:01PM (#9068558) Homepage Journal
      And then they mention a hole in Apache? WTF? Not Apple's problem.

      It becomes Apple's problem when they ship a copy of Apache with every copy of their OS. It may not be their fault, but it's certainly their problem.
    • The whole thrust of the article seems to be "There might be dozens of holes in OSX, how do we know?".

      I don't think there's anything truer than "There are dozens of holes in OSX". Also "There are dozens of holes in Windows" and "There are dozens of holes in Linux - pick a distro any distro". You only have to look at the number of patches released for ALL operating systems to see the truth in that. Some OSs will be worse than others and have more exploited holes, that's an argument for another time.

      Those h
  • by Txiasaeia (581598) on Wednesday May 05, 2004 @06:55PM (#9068502)
    Think about it: if Apple keeps quiet about the massive and widespread effects of viruses on their OS, the benefits are:

    -Less damage to the Apple brand
    -Less desire for virus writers to write viruses for Macs -- if it's not widely covered in the media, then how do you know if your virus works? No bragging rights == no desire to make such viruses
    -More security - if you don't publish holes but quietly fix them, then the chances of script kiddies (biggest cause for net viruses according to a study I read a while ago) exploiting such holes is much, much less.

    Of course, it sucks from an end-user viewpoint, but *only* if such a virus actually infects your computer!

    • by neuroticia (557805) <neuroticia@@@yahoo...com> on Wednesday May 05, 2004 @07:10PM (#9068651) Journal
      Benefits of letting your users know:

      1- They will be aware that their OS isn't perfect. Healthy paranoia is essential to running a system that is secure. If you're not healthily paranoid... "That update? I'll download it later. First I'm gonna download this latest and greatest 3D Game and give it a go."

      2- If they are aware that there is currently a vulnurability for... Safari, they have the option of using an alternative browser until the vulnurability is patched. Quicktime? They're aware there is a problem, and put off on downloading quicktime from unknown sources for a while. (Brittney Spears porn? That can wait until a patch is out!)

      Bottom line- If Apple DOES NOT let their users know about a vulnurability and nothing happens--no biggie. If Apple knows about a vulnurability and DOES NOT let its users know, and something does happen.. Boom, Apple's got a virus, or a remote root exploit, and everyone knows about it. If Apple says "We knew", then they're guilty of not informing their customers. If Apple says "We didn't know", then they're guilty of not knowing how to secure their OS, and not keeping on top of things.

      Apple's got a small marketshare that they're trying to increase, and they're trying to burst into a new market where people are still skeptical. Covert cloak and daggar "security by obscurity" is never a good thing, and in this market it will only alienate. It's MUCH better for Apple to say "We have a vulnurability... And three hours later we have a patch."

      -Sara
    • by CODiNE (27417) on Wednesday May 05, 2004 @07:45PM (#9068936) Homepage
      I have to disagree with you on the "No bragging rights" point. A Mac only worm that spread around and nailed a few hundred thousand or so users, and even caused actual data loss would be a crushing blow to Apple... the writer of this would be quite infamous. Nobody cares when another Windows worm comes out, but if one comes out on the Macs, you'd better believe everyone who's ever said "Apple is dying!" is going to come crawling out of the woodwork and make sure it's never forgotten. Those of us in the know wouldn't be bothered much by it, but the FUD spread would be incredible.

      -Don.
  • by Anonymous Coward on Wednesday May 05, 2004 @06:56PM (#9068507)
    What people fail to realize is that there are literally hundreds, if not thousands, of people own Macs and many of them are now connected to the Internet.

    Imagine the havoc an OSX based worm would wreak at an art school or a large interior design firm. This kind of stuff needs to be taken more seriously by Apple.
    • by arfuni (775132) on Wednesday May 05, 2004 @07:33PM (#9068847) Homepage
      Look buddy, this isn't a laughing matter. Starbucks locations with wireless access points would be torn with the chaos of obnoxious PowerBook owners complaining to cute barristas who would subject the internet to even more Livejournal and blog whining.
  • I won't say that maybe Apple isn't doing all it could on security holes- I will mention that I've never heard of a mac worm, a root exploit that's actually been carried out against a mac, and so forth. But maybe there's some sort of story about Apple being a little behind on patches occasionally.

    However, with all due respect to Techworld and the author, this is really a pathetic attempt at a story. Biases half-truths, no principle of charity (regardless of Apple's good record of *actual* security exploits- not the whole story, but a major part of it) with a comparison to Windows security where somehow Microsoft comes out on top, no hard figures, a poor understanding of security as a whole, and, though it may be a low blow, not very good prose (it seems rushed- i.e. one statement is "Apple's half-hearted effort to these holes can be found here." There's really no proof (hard or soft) for any of the assertions in the article.

    In conclusion, there's really really nothing to see here.

    RD
    • by mst76 (629405) on Wednesday May 05, 2004 @07:19PM (#9068746)
      > I will mention that I've never heard of a mac worm, a root exploit that's actually been carried out against a mac, and so forth.

      Now you're mixing two different things. First, a worm on the scale of blaster/sasser is not likely to happen soon on a Mac, if you look at how they spread: they just attack random IP adresses. Guess how often they'll hit a Mac. Spreading a Mac worm this way will be quite slow. The problem is mostly single root exploits. A remotely rooted Mac is possible, but unless it's a high profile site, how would you know about it? Do you think I'll make the news if my iBook gets rooted? Check this thread [slashdot.org]: you can get remotely rooted if AFS is on (meaning if you turned on Personal File Sharing). The lesson: don't let your guard down just because you're not running Windows.
  • by falcon5768 (629591) <Falcon5768.comcast@net> on Wednesday May 05, 2004 @06:56PM (#9068517) Journal
    The fact that they call this currrent windows worm not a major threat tells you where their mind is and whos paying their pockets.

    I am getting sick and tired of so called "Tech Security" companies who create FUD just to sell their products.

  • by malchus842 (741252) <stephen@adamsemail.net> on Wednesday May 05, 2004 @06:58PM (#9068528) Homepage

    I read the article - I can't believe that the editors (are there any?) let this article see the light of day. Sure, there are security holes in Mac OS. It's a given that any OS has some kind of bug or flaw that, when properly exploited, will cause a DOS, crash or improper security. But this author is speculating (or, using speculation as source material).

    Any OS based on a solid Unix core (Darwin, Linux, AIX) is going to be much more secure than any Windows kernel - at least at this point. It remains to be seen if Microsoft can build a reliable, secure kernel.

    Oh, and by the way, how many flaws, and how bad are they, are in Linux and Mac OS compared to windows? Having administered global networks of >1000 Windows workstations and servers, I'll take a similarly sized Linux network ANY day, if security is paramount.

    • I can't believe that the editors (are there any?) let this article see the light of day.

      The story got mentioned on Slasdhot, MyAppleMenu, and Spymac... it's gotten plenty of coverage. I never never that site existed until this article. Its sole purpose, I believe, was to get Slashdotted.

      And by the way, Apple is dying. ;)
    • by lakeesis (325621) <lakeesis AT yahoo DOT com> on Wednesday May 05, 2004 @07:06PM (#9068613) Homepage
      I think it's even more disturbing that the author doesn't seem to have a problem with the use of only one source to back up what is a pretty wide-ranging assertion --> security company A says that apple has big flaws, so apple must have BIG FLAWS! OMG! The sky is falling!! -- instead of relying on a collection of different security company opinions to base her assertions.

      Stepping back from the apple/*nix/Windows flame wars, the article itself seems subject to the very thing it attempts to criticize - a lack of any sort of depth of information.

      --

      If we do not do what we must do, what we must do does not get done.
  • by ebbomega (410207) on Wednesday May 05, 2004 @07:02PM (#9068560) Journal
    So, Apple is half-hearted about security vulnerabilities because they released a bunch of patches? I fail to see how this is in any way a bad thing. Releasing information about exploits in a closed-source system is kinda stupid. At least Apple is patching these things before they become a problem.

    On the most part though, it's a lot easier to administrate a *nix system and keep it secure than it is to do so with a Windows system. It all, for me, comes down to the root/user system. You have a root that you don't use normal stuff for, and so therefore it's a lot more difficult to place undetectable things on a computer on the basis that the only places someone with user access to your comp has is in user-defined places. Namely, /tmp, ~, and anywhere else the user decides to place low restrictions for themselves (say, for me, my /filez partition).

    As much as people want to bitch about how "insecure" *nix systems are, frankly, they're just better designed from a coding perspective than Windows. Windows seems to have been spending a lot of its time playing catchup with features, and now they're feeling the brunt of not practicing efficient coding, and the result is going to be Longhorn (supposedly... I don't know how many times I've heard the "The Next Windows is going to be better" argument... pretty much since 3.1), which is, in effect, a major overhaul and an attempt to make Microsoft's Station Wagons a bit more like BeOS' Batmobiles.... but it seems like it's more likely to become a 12-cylander Viper with the amount of resources they're claiming it's going to need to consume.

    I'm happy with my fuel efficient tank that'll work on any road, thank you very much.

    (Apologies to Neal Stephenson for borrowing the metaphor [spack.org])
  • by mike_lynn (463952) on Wednesday May 05, 2004 @07:02PM (#9068566)
    Does this guy even read the things he's linked to? Specifically the eEye Quicktime exploit page which mentions: "Vendor Status: Apple has released a patch for this vulnerability. The patch is available via the Updates section of the affected applications. This vulnerability has been assigned the CVE identifier CAN-2004-0431."

    And on the AFP hole, Apple released a patch the same day they were told about the problem. Talk about turnaround time and microscopic exploit windows!

    I think this guy just wants people to get riled up about Apple. All I've gotten pissed off about is him. Thanks a bunch, a**hole.

    • by CalTrumpet (98553) on Wednesday May 05, 2004 @07:32PM (#9068838)
      Apple didn't develop the patch on one day. @stake and Eeye follow responsible disclosure policies. Apple has known about these problems for weeks, and the announcements were timed to follow the patches.

      Apple is hiding the fact that this is a REMOTE ROOT exploit in Apple developed code. There have been issues before, but they have come from external projects, like OpenSSL and Apache. This is a huge deal, and if Microsoft understated the importance of a patch like this, Slashdotters would be all over them.

      Microsoft's experience with this has made them too sensitive. Everything is "critical" now, which makes it hard for SysAdmins of hundreds of machines to tell the difference between "change window" critical and "shutdown the site and patch all night" critical.
  • by revolvement (742502) on Wednesday May 05, 2004 @07:03PM (#9068584)
    ...an "Apple", with "holes" in it, which could be exploited by "Worms"...


    Well, I thought it was funny, at least.
  • by Reverberant (303566) on Wednesday May 05, 2004 @07:04PM (#9068587) Homepage

    A comment in response to the Scobleizer [weblogs.com] blog said it best:

    Eh, I think @stake is just whining. The security update on the apple site is written for consumers, not security experts. The knowledgebase article: http://docs.info.apple.com/article.html?artnum=617 98 [apple.com] clearly lists the CAN number. Plugging in that CAN number into google gets me straight to the @stake advisory here: http://www.atstake.com/research/advisories/2004/a0 50304-1.txt [atstake.com]

    Personally, I don't think apple is trying to hide anything, they are just assuming that calling it a "a pre-authentication, remotely exploitable stack buffer overflow" would confuse consumers. The knowledgebase article contains all the info a technical person would need to find out more.

    Speaking of "full disclosure" - the criticism came from @stake, which is a vendor to Microsoft and fired one of their employees for criticizing Microsoft in a report. :)

  • moot (Score:3, Insightful)

    by jdunlevy (187745) on Wednesday May 05, 2004 @07:05PM (#9068606) Homepage
    Not only does the article [techworld.com] offer only very little in the way of evidence, but the whole point of the article appears moot. My favorite quote at http://secunia.com/advisories/11539 [secunia.com] (linked from the article):

    "Solution:
    Apply Security Update 2004-05-03."


    (The article is dated "04 May 2004")
  • by Anthony (4077) <adavid@adavid.com.au> on Wednesday May 05, 2004 @07:08PM (#9068635) Homepage Journal
    A colleague submitted a bunch of local exploit reports to Apple months ago with no reasonable response. I certainly don't read mail on my iBook.
  • by kiwioddBall (646813) on Wednesday May 05, 2004 @07:11PM (#9068658) Homepage
    If an article is written that makes an assertion, and then completely fails to back up that assertion, then it is fairly likely that the article is not worth reading and is full of falsehoods.

    Don't publicize such articles by posting them on Slashdot.

  • Clarification... (Score:4, Insightful)

    by vikingshelmut (324101) on Wednesday May 05, 2004 @07:12PM (#9068668)
    I find it humorous that it is stated Apple released 5 security patches for OS X, when in effect they released one security patch for different flavors of OS X. In all cases this is the same patch for 10.2, 10.3, and both server variants.
    Considering Apple releases one security patch every month or two, I would hardly consider that as evidence of weak security policys.
    How many different patches were released for XP within the last 6 months compared to Apple? I thought so...
  • Black Cadillacs (Score:5, Interesting)

    by Graymalkin (13732) * on Wednesday May 05, 2004 @07:12PM (#9068671)
    It is really nice of TechWorld to let companies write their "articles" for them. This article is complete and utter tripe. I think this is quite a bit worse than the expose from Intego and their inane little "trojan horse". None of the outlined exploits went unpatched for any significant period of time, I downloaded the security updates that cleared up the problems just last week in fact. They're also not the sort of exploits that make Sasser and Blaster look like little nips.

    Looking through Secunia's website - who I'd never heard of before reading this article HINT HINT - it appears as if Apple patched the very exploits the TechWorld article is harping on. This quote seems to have been blown way out of preportion by Kieren McCarthy:

    This conclusion is based on the fact that Apple merely describes vulnerability 3 as an attempt to "improve the handling of long passwords". However, according to @stake, the vulnerability can in fact be exploited to compromise a vulnerable system.


    He turned that quote into a slew of accusations about Apple being unresponsive over exploits and bugs. Man they're so unresponsive they provided me with a free security update not but a few days ago! Damn that Apple and their unresponsiveness! Maybe they'll release Quicktime 6.5.2 to unfix the problem they fixed of malformed Quicktime files crashing QT with the 6.5.1 update. I'm sure there are some real security exploits in OSX that are something to actually worry about. The ones outlined in this article...not so much.
  • by SilentChris (452960) on Wednesday May 05, 2004 @07:14PM (#9068702) Homepage
    While Apple seems to be patching fairly regularly, the last security update (the group of 4) was a little lacking in that it offered no explanations. Microsoft (which has gotten good at revealing weaknesses) at least gives a full technical explanation, often right down to the files affected. As I work in IT, I'm often left installing patches with Apple with no clue what they're doing under the hood (a bad situation to be in, but worse if we didn't patch at all). Fortunately, Mac users are a very small minority at my company. Also, the guys who's putting together some of the patches seem to be falling asleep at the wheel. The last Quicktime upgrade (33 MB) apparently include 18 MB of the Quicktime logo for each of language it supports: Not So Quickthinking on this page [tripod.com]. That's just lazy work.
    • by laird (2705) <lairdp.gmail@com> on Wednesday May 05, 2004 @08:28PM (#9069277) Journal
      "While Apple seems to be patching fairly regularly, the last security update (the group of 4) was a little lacking in that it offered no explanations ... As I work in IT, I'm often left installing patches with Apple with no clue what they're doing under the hood"

      Apple's description of the patch was rather terse (AppleFileServer: Fixes CAN-2004-0430 to improve the handling of long passwords. Credit to Dave G. from @stake for reporting this issue."), but it provides the reference (CAN-2004-0430) that provides full details. Admittedly, this did require a google search, or reading the usual advisory lists. But it's certainly not hidden from anyone who wants the detail.
  • Attack story (Score:5, Informative)

    by Penguinshit (591885) on Wednesday May 05, 2004 @07:35PM (#9068864) Homepage Journal

    Man, I haven't read such an obviously antagonistic bit of tripe like that in a long time. Mentioning 5 possible exploits which all require default-off services to be enabled, only one of which could lead to a system-wide compromise under 99% of normal circumstances, then calling "Sasser" trivial in comparison (sorry.. "a blip") is not only completely incorrect but is irresponsible journalism.

    The AFS vulnerability, which is the only process in the whole list which runs under root privs, would require someone be running AFS (the Apple equiv of NFS) over the Internet. It has been known for a very long time that NFS is *ONLY* for internal trusted networks. AFS is turned off by default on Macs, and the vast majority of users (certainly almost all home users) would never need to enable it.

    The Quicktime vuln would only affect files owned by the executing user. Certainly a pain in the ass, but not fatal or prone to "zombification" of your computer like Sasser.

    The Apache vulns, IIRC, are of the DOS type (one is a memory leak condition). Irritating, but not critical, unlike Sasser.

    Kieren McCarthy should be ashamed of himself for writing such a disingenuous load of crap as that article. Microsoft's history of disclosure and cooperation with security research firms is ** FAR ** from unblemished.

    • Wrong target (Score:3, Interesting)

      by argent (18001)
      We can add that the "trojan" they refer to requires that the file be embedded in an apple-specific disk image format and can not be triggered by a normal download... and anyone in a position to convince someone to run the "trojan" has plenty of other avenues of attack.

      And that's the real problem I wish Apple would catch on to.

      The biggest security problem in Windows is one that most people, and most "official" security announcement sites, don't even pay attention to... and that is the tight integration bet
  • Nice propaganda (Score:5, Informative)

    by mabu (178417) on Wednesday May 05, 2004 @07:41PM (#9068900)
    With all due respect, this is much ado about nothing. Let's examine some of the claims:

    * Some older vulnerabilities in Apache 2 can be exploited by malicious people to inject malicious characters into log files and cause a DoS

    Who is running Apache 2? Are most OS X users running their own web server in the first place? This isn't an Apple issue. Anyone who is running Apache, which includes all flavors of Unix as well as Windows has the same issues, but of those, the 2.x tree?? A tiny minority probably not even worth mentioning. This isn't necessarily Apple's responsibility unless they've branded Apache 2 and offered it as some core feature.

    * Two vulnerabilities in the IPSec implementation can be exploited by malicious people to conduct MitM attacks (Man-in-the-Middle), establish unauthorised connections, or cause a DoS.

    Again, this is an OpenSSL issue, not an Apple issue, and it has nothing specifically to do with Apple. The circumstances under which this exploit would be taken advantage of are pretty limited. That's not to say any of these issues shouldn't be addressed, and maybe Apple should more accurately call attention to these vulnerabilities but they aren't really the issues justified by the FUD being spewed.

    * A vulnerability within AppleFileServer can be exploited by malicious people to compromise a vulnerable system.

    Ok, this may be ONE issue so far that is attributable to Apple.

    * An unspecified vulnerability exists within the CoreFoundation when handling environment variables. This may potentially be a privilege escalation vulnerability. This has not been confirmed, though.

    WTF? An "unspecified vulnerability" that "has not been confirmed"? Did the lawyers from SCO write this article?

    * An unspecified vulnerability exists within RAdmin when handling large requests. This may potentially be a system compromise issue. This has not been confirmed, though.

    More unconfirmed vulnerabilities? Nice FUD.

  • by amichalo (132545) on Wednesday May 05, 2004 @07:44PM (#9068929)
    I dont' spend much time talking about my heart condition, so when people ask me about it, I give them odd looks, explain it away and generally dismiss it.

    Mind you, I don't have a heart condition, or at least, not one any doctor has identified. I guess I *could* have one and just don't know it. Sure I do some of the things that could lead to a heart condition. Don't smoke but do drink. Don't eat fast food but do enjoy butter on my baked potato, that sort of thing.

    I think that this journalist is trying to spread FUD about the Apple dieing of a heart condition it doesn't have.
  • by allgood2 (226994) on Wednesday May 05, 2004 @07:47PM (#9068958)
    I read this article and thought it utter FUD. First the guy asserts that Mac OS X is rifed with security holes, when really compared to Windows there just aren't that many. But it seemed his real complaint is that not a lot of people are talking about the security holes. I mean, in all honesty, why would Apple talk about the security holes, unless they were so plagued by them that consumers were continously calling up complaining, there really is no reason to talk about a security hole.

    Investigate it, acknowledge it, and patch it-- that's what I see as the typical course of action, even for Microsoft, and Apple does this reasonablly well. In fact, most of my knowledge about the various Apple related security holes comes directly from Apple in their knowledge-base articles related to the various security patches. It's only randomly that I hear about a security hole that will also effect Apple from a third party source, before I hear it from Apple. But I'll admit to most of my security subscriptions tend to cater to the PC, for obvious reasons.

    Also, it seems to me that Apple spends a fair amount of time patching security holes in the various open source solutions its using/tying in with Mac OS X. Which means that technically many of these security holes are also effecting Linux, and Unix machines as well. Like the security update from yesterday or the day before address issues in Apache, IPSec, OpenSSL, and CUPS.

    The guy mentions the QuickTime flaw, which was patched weeks ago by Apple, per normal, in a quite automated QuickTime update. He then also mentions that "trojan" that never was. Basically a proof of concept idea that was published, but works technically not that much differently on a Windows machine. Basically, someone can change the icon of an application to that of an MP3 file, and run code when double-clicked. Did anyone besides Intego consider this a big deal, even Symantec scoffed at it, and scolded Intego, though they did duly post a low level security warning.

    The truth is, to my knowledge Apple doesn't rate security updates. An update is either a normal bug fix or feature addition, or its a security update. Apple expects all its users to Apple each of their security patches, and to the best of my knowledge has never used a security patch to ship in unwanted software or system changes. So why complain that Apple hasn't called the security updates a "critical" security update. The knowledge base typically includes who original posted the hole/flaw, and the item number, so you can go read the details yourself, and look at the rating attribute.

    Blah, blah, blah...isn't this just more of I'm looking, scraping, scrouning for something bad to say about Apple security. I guess, I'd be more forgiving, if the article actual focused in on the various security issues, as opposed to chastising Apple for what, not taking out a press release about them?
  • by MrLint (519792) on Wednesday May 05, 2004 @07:54PM (#9069003) Journal
    Lets u begin what 2 of those 5 'highly critical' advisories, according to that linked page haven't been confirmed yet. One does indeed wonder that if Apple is allegedly not taking them seriously, and this reporting place is, why are they not in fact confirmed. Perhaps we can argue just as well that Secunia is doing a 'half-hearted' job at testing.

    Ok now see how one can go off half cocked? this is the statement from McCarthy " Apple explained that it was "aware" of a Trojan horse that could be used to compromise its systems and was investigating it, but refused to say any more"

    Im not really sure what more one would want them to say? Perhaps "OH MY GOD THIS IS A DISASTER!" Well clearly its not. But if you want to hype it for an article sure whatever. Perhaps you want want to know exactly when it'll be fixed. Good let them give you some fictional date that they makeup before they have actually investigated it. But hey sure you can hype in your article.

    To be annoyingly pedantic, apache isnt part of the OS. Additionally most people dont use the (Apache) built in web server. I should also mention that none of the 3 articles linked about the Apache problem are listed as 'highly critical' anyway. (2 moderate and one 'less')

    IPsec ones.. both moderate. So this leaves us with 2 unconfirmed, 2 moderates, and 1 left of privilege escalation. I cant say much about it as I dont know anymore than the rather curt descriptions.

    The really best part is is what is claimed to be "Apple's half-hearted effort to these holes" Links to a page on a security update for them. But hey if you need to hyper that a fix means nothing is being done because you have an article deadline.. then sounds like you are doing a "half hearted" job.
  • by joebolte (704665) on Wednesday May 05, 2004 @08:12PM (#9069161) Homepage

    The last line of the article is "Apple's half-hearted effort to [patch] these holes can be found here. While Secunia's full rundown on the problems can be found here."

    The first link goes to a very complete page that details Apple's security updates back to Sept 2003. It looks fully-hearted to me. This page states "For the protection of our customers, Apple does not disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases are available." Sounds reasonable.

    The second link details a security notice that was released on May Fourth with some security issues. The fix is to dl the patch Apple released on the third.

    Nothing to see here. This guy is taking a non-issue, spreading around some FUD and hoping that soemone will bite.

  • by Anonymous Coward on Wednesday May 05, 2004 @08:24PM (#9069252)
    I'm actually a moderately well known individual in the security community, but I'm posting this anonymously because, well, the subject line (and, I suppose, Author field).

    I've been an Apple user, off and on, since the IIgs days. There's always been a good amount of zealotry about the product line, but what can you say? The gear is pretty good, and has a good reputation. Unfortunately, no small amount of that reputation is maintained through absolutely vociferous defense of any arbitrary behavior.

    I'm not just talking about buffer overflows. When Apple's DHCP implementation made it trivial for anyone on the LAN (even a coffee shop wireless network) to remotely take full control of the machine [carrel.org], the response was not one of confident correction but defensive redefinition -- "It's not a bug, it's a feature, you unintelligent carbon rod." And when Apple became the first operating system ever to be exploitable via its generic text forms [macslash.org] -- the response really was yet another circle-the-wagons-and-apply-the-double-standard. And in case you don't believe me about the obsessive, O'Reillyian hijinks going on here -- look at the Boingboing [boingboing.net] response to what's just an open-and-shut data/executable confusion vulnerability. "OS9 is vulnerable too" is not a defense. "But you need to GET the file first" isn't a defense either -- that is , um, sort of the point of a Trojan horse. "An antivirus company came up with this" -- no way, you mean antivirus companies actually try to find security problems? This type of alternation between non-sequitor and ad-hominem is par for course. And don't say it's always this way -- there's no other operating system vendor who either themselves or through their users reacts to security risks like this. Not Microsoft, not the various Linux distributors (who really are getting hammered), not Sun or SGI, and certainly not Theo or his security-obsessed users. Everyone else seems to have realized it's safe to openly acknowledge and repair faults. Apple is the exception. "Like pulling teeth" comes to mind.

    People, this is technology, not politics, and I don't even like this kind of behavior in politics. The more apologism there is for Apple failures -- and yes, even the eternally scrappy upstart from Cupertino can screw up, just look at your Powerbook monitors -- the less likely we are to actually see what ultimately we all want, which is correctly behaving technology.

    That's all I have to say on this.
  • by Negativeions101 (706722) on Wednesday May 05, 2004 @08:36PM (#9069340)
    Perspective: people are surprised by all the security updates that Apple releases. Fact: By default, NONE of the exploitable holes are available by DEFAULT out of the box. There are ZERO services running, so no remote vulnerabilities. ...which is a ton more secure than a Windows PC out of the box (and some linux boxes). The only time the Mac OS X system can be compromised is if the exploitable services are turned on. Most of these are exploits to open-source software such as Apache, OpenSSL, CUPS. Recently, AFS was patched and that isn't even running when you turn on a Mac. I think this sums up the arguement nicely.... so why were people still ranting about BS after 47Ronin posted it?
  • by Schapht (84396) on Wednesday May 05, 2004 @08:42PM (#9069388) Homepage
    It seems to me that all these holes are in systems that the average OS X user wouldn't use very often if at all. I'm a developer using Mac OS X, and I'm not even effected by most of these.
    1. as far as I can tell, OS X uses Apache 1, not 2
    2. I don't use IPSec, but some people might. I would bet the percentage is small
    3. Most people use Samba anymore because it's not as proprietary as AFS
    4. most users don't allow remote logins (escalation wouldn't be a problem)
    5. not sure about RAdmin


    My point being that, first off Apple might want to be quiet about it because the majority isn't effected, and second the vunerabilities aren't nearly integral to the OS as most windows vulnerabilities are.

    My apologies if this is redundant.
  • by mclaincausey (777353) on Wednesday May 05, 2004 @09:26PM (#9069637) Homepage
    OOTB, you will find OS X much more secure than the default configuration of almost any Windows or Linux boxen. If you further configure your OS X box to be a hair's breadth shy of paranoia, you will find that NO Windows box can even enter the conversation about security by comparison.

    This is FUD. Apple doesn't owe it to their customers to explain security holes. Why would they weaken their position so? Just keep quiet about it and fix it. And most of the security flaws of late were in third party packages that Apple didn't write.

    The article has a sensationalist headline and it says that the OS X security holes, which never made it beyond proof-of-concept, because they were patched quickly, are more dramatic than SASSER, which has cost millions of dollars and possibly a few lives by knocking out banks and other financial institutions and the British Coast Guard. Holes that were never exploited and that aren't even exposed OOTB are worse than SASSER? Doesn't this fact prove this to be an agenda-driven article?

    If not, then consider that @Stake, one of the cited sources, is Microsoft-owned and notirious for self-aggrandizing FUD designed to promote their services.

    The reminds me of the FUD about an MP3 "trojan horse" vulnerability, which was blown way out of proportion as well. Such a theoretical virus was billed as an OS X vulnerability when it would in fact work in Classic as well. They tried to make a big deal about the fact that it was no longer safe to just double click on some file you downloaded. When was it ever?

  • Microsoft toadies (Score:4, Informative)

    by revscat (35618) * on Wednesday May 05, 2004 @09:40PM (#9069738) Journal

    From the article:

    Secunia has given the series of patches a "highly critical" rating, which it explained was due to the Apple's dismissive attitude to one of the holes. Secunia described a vulnerability within AppleFileServer that allows for a buffer overflow as an attempt to "improve the handling of long passwords", but security specialists @stake warned that it could lead to the full system access.

    These were the same guys who fired one of their employees because they had the temerity to say something bad and substantial about Microsoft.

    Link [google.com].

    Pretty FUDdy article to me.

  • by Insolence2003 (766063) <Insolence2003 AT yahoo DOT com> on Wednesday May 05, 2004 @10:04PM (#9069880)
    Instead of "claiming" that OS-X has a horrible security issue, with practically no proof to back that statement up, I'd really LOVE to see a OS-X worm. In-fact, I would put up some money to the author of such a worm. Because up to this point, there has still been 0 serious security problems in OS-X.

    I do tech support all over So. CA, for mac and pc clients. And I have made 10x as much money from running to the PC client's LAN and ridding it of worms, spyware, and such, than to my Macintosh clients.

    I've been using OS-X since the original OS-X Public Beta, and have proudly upgraded ever since to the latest version (10.3.3). I seriously laugh at anyone that attempts to dog on OS-X's security (well, lack-thereof). I am proud to be able to take my 12" Powerbook G4 anywhere, and fix/troubleshoot anyone's computer or network without worrying about getting a virus, or worm, or anything.

    I easily backup friends and clients PC's through firewire and OS-X (w/ NTFS Addin for Pre OS-X 10.2) and reinstall their system in a heartbeat, without worrying about getting a boot virus, or prefetch virus (what a pain!) or a random piece of sh*t adware software.

    I am proud to own a Mac. And yes... I really do LAUGH in the face of anyone attempting to put down the Mac, when their reasons are 99% crap. (unless of course they are talking about playing games!)

    In conclusion, I really would love to see a "outbreak" of a virus for OS-X. This happens DAILY for Windows. This event might actually let some reporters report that OS-X isn't so secure. But... until that day my friends... read 'em and weep.

    Viva la OS-X!
    - Insolence (Mac User/Evangelist)

Take care of the luxuries and the necessities will take care of themselves. -- Lazarus Long

Working...