Apple Uncommunicative About Security Holes 573
blackmonday writes "Kieren McCarthy of Techworld argues that Mac OS X is rife with security holes, and that Apple is doing a 'half-hearted' job of patching their operating system security holes, and has a 'strange habit of pretending a big problem is of no significance.' As a Mac user I find this an intriguing article in light of the Sasser Worm and its recent variants." Despite the article's assertions, no evidence of widespread security problems, or lack of effort to solve them, is offered. The only real question is Apple's lack of communication with the public in the nature of the problems.
Re:Reasons why... (Score:5, Interesting)
Keeping quiet makes perfect sense to me! (Score:5, Interesting)
-Less damage to the Apple brand
-Less desire for virus writers to write viruses for Macs -- if it's not widely covered in the media, then how do you know if your virus works? No bragging rights == no desire to make such viruses
-More security - if you don't publish holes but quietly fix them, then the chances of script kiddies (biggest cause for net viruses according to a study I read a while ago) exploiting such holes is much, much less.
Of course, it sucks from an end-user viewpoint, but *only* if such a virus actually infects your computer!
Re:Reasons why... (Score:5, Interesting)
That being said, Apple seems pretty good at sending out frequent security updates when needed, and it's dead easy to keep a system patched. Until I see something escaping into the wild, I'm not going to be too concerned. But I will avoid tempting fate by keeping my system patched.
D
Patches. Oooo. How scary. (Score:4, Interesting)
On the most part though, it's a lot easier to administrate a *nix system and keep it secure than it is to do so with a Windows system. It all, for me, comes down to the root/user system. You have a root that you don't use normal stuff for, and so therefore it's a lot more difficult to place undetectable things on a computer on the basis that the only places someone with user access to your comp has is in user-defined places. Namely,
As much as people want to bitch about how "insecure" *nix systems are, frankly, they're just better designed from a coding perspective than Windows. Windows seems to have been spending a lot of its time playing catchup with features, and now they're feeling the brunt of not practicing efficient coding, and the result is going to be Longhorn (supposedly... I don't know how many times I've heard the "The Next Windows is going to be better" argument... pretty much since 3.1), which is, in effect, a major overhaul and an attempt to make Microsoft's Station Wagons a bit more like BeOS' Batmobiles.... but it seems like it's more likely to become a 12-cylander Viper with the amount of resources they're claiming it's going to need to consume.
I'm happy with my fuel efficient tank that'll work on any road, thank you very much.
(Apologies to Neal Stephenson for borrowing the metaphor [spack.org])
So...where's the news? (Score:2, Interesting)
Wishing for a way to mod "journalists" as trolls.. (Score:5, Interesting)
And on the AFP hole, Apple released a patch the same day they were told about the problem. Talk about turnaround time and microscopic exploit windows!
I think this guy just wants people to get riled up about Apple. All I've gotten pissed off about is him. Thanks a bunch, a**hole.
Re:Reasons why... (Score:5, Interesting)
What's wrong with just saying, "We fixed an exploit discovered by someone at some company in this component of the operating system." ? Need bugfixes also give information on exactly how to reproduce the bug? Open the farthest right menu so it becomes sticky, move the mouse to the right of that menu in the menu bar (the menu will close), press the right arrow key on the keyboard.
About time the cat was belled (Score:3, Interesting)
Re:Keeping quiet makes perfect sense to me! (Score:4, Interesting)
1- They will be aware that their OS isn't perfect. Healthy paranoia is essential to running a system that is secure. If you're not healthily paranoid... "That update? I'll download it later. First I'm gonna download this latest and greatest 3D Game and give it a go."
2- If they are aware that there is currently a vulnurability for... Safari, they have the option of using an alternative browser until the vulnurability is patched. Quicktime? They're aware there is a problem, and put off on downloading quicktime from unknown sources for a while. (Brittney Spears porn? That can wait until a patch is out!)
Bottom line- If Apple DOES NOT let their users know about a vulnurability and nothing happens--no biggie. If Apple knows about a vulnurability and DOES NOT let its users know, and something does happen.. Boom, Apple's got a virus, or a remote root exploit, and everyone knows about it. If Apple says "We knew", then they're guilty of not informing their customers. If Apple says "We didn't know", then they're guilty of not knowing how to secure their OS, and not keeping on top of things.
Apple's got a small marketshare that they're trying to increase, and they're trying to burst into a new market where people are still skeptical. Covert cloak and daggar "security by obscurity" is never a good thing, and in this market it will only alienate. It's MUCH better for Apple to say "We have a vulnurability... And three hours later we have a patch."
-Sara
Re:Reasons why... (Score:5, Interesting)
No, that's NOT what is being discussed. Apple tends to patch very quickly and quite regularly. However, the information about exactly what is being patched is usually limited to the programs or processes being patched (Safari, Finder, etc.). The discussion is whether or not Apple should be communicating more completely the nature of the security problems it is fixing.
As a geek I'd like to know exactly what the problems were, but that's strictly to satisfy my idle curiosity. I have to admit that it may be better that the details aren't published. I can live without the details (i.e.: a buffer overflow in the XYZ module), but others may feel that the exact exploit *should* be announced. Since I don't have access to the rest of the code, I don't see any reason we should be given the details of a particular patch.
Anyway, the point is that it's not about Apple ignoring or responding to holes: it's Apple's publication of the nature of the holes that is at issue here.
Re:Where's the evidence??? (Score:0, Interesting)
Do you actually know what a kernel is? Hint, Internet Explorer isn't in it.
There have been at least TWO Linux kernel security flaws in the past few months. Both were found by code auditing (not exploits) and both required local user access, but they were there nonetheless.
I don't think Microsoft has ever released a patch to the Windows kernel via Windows Update. Can anyone confirm this?
You can bash Microsoft's userland applications (RPC in particular!) as much as you want, but their kernel is extremely well-written.
Black Cadillacs (Score:5, Interesting)
Looking through Secunia's website - who I'd never heard of before reading this article HINT HINT - it appears as if Apple patched the very exploits the TechWorld article is harping on. This quote seems to have been blown way out of preportion by Kieren McCarthy:
He turned that quote into a slew of accusations about Apple being unresponsive over exploits and bugs. Man they're so unresponsive they provided me with a free security update not but a few days ago! Damn that Apple and their unresponsiveness! Maybe they'll release Quicktime 6.5.2 to unfix the problem they fixed of malformed Quicktime files crashing QT with the 6.5.1 update. I'm sure there are some real security exploits in OSX that are something to actually worry about. The ones outlined in this article...not so much.
Re:Reasons why... (Score:4, Interesting)
But there's no point pretending that because you've kept it a secret, no-one's going to find out.
So you have to be prepared for the worst, even if you don't ask for it.
Apple isn't particularly good at the patching game (Score:5, Interesting)
Virus Scanner Sales (Score:2, Interesting)
Re:Macs may have security holes, but... (Score:4, Interesting)
Re:Macs may have security holes, but... (Score:1, Interesting)
I offer some counter examples...
Maybe hackers and virus writers can't afford to buy an Apple. Thus, how can you exploit a machine that you have little exposure too.
or
Maybe hackers have more respect for Apple taking open Open Source and being the underdog.
or
Maybe, just maybe... Apple really does have good security.
Blanket statements/stereotypes are usually incorrect. I would expect a little bit of the above and your argument is the case.
Re:Reasons why... (Score:4, Interesting)
Surprisingly unbiased article summary (Score:5, Interesting)
I bitch a lot about Slashdot for its biased summaries and viewpoints, but this time I have to applaud it for sounding rational. If only this sort of calm, rational perspective was applied to all the articles posted!
Just felt like pointing it out. Good job in this instance.
Re:Macs may have security holes, but... (Score:2, Interesting)
Not only that, but because they are a small percentage, it would be difficult for a Mac worm to spread because it would have to try a lot of IP addresses before it found a Mac. Same thing with Linux, though there are a lot of Linux web servers out there.
However, a multiplatform worm would be effective. A worm that could spread between Windows, Linux, OS X, etc. Of course then there would probably be different exploits for each OS. If there was an application that ran on each OS that it could exploit and spread through (e.g. Apache), that would be the ideal for a virus writer.
Re:This could be pretty serious (Score:1, Interesting)
What people fail to realize is that there are literally hundreds, if not thousands, of people own Macs and many of them are now connected to the Internet.
And they're all broadcasting their IP! Oh no!
Imagine the havoc an OSX based worm would wreak at an art school or a large interior design firm.
Imagine. That's the key. You can only imagine it because it's not happening, unlike the Windows world. You could just as easily imagine some equally unlikely scenario for Linux or, if you like, the sky falling. Until there is an actual, widespread exploit instead of the mere potential for exploit, only idiots will get worked up over the "dangers" of running Unix.
Re:Where's the evidence??? (Score:5, Interesting)
How about we start bashing you as making completely stupid and baseless claims... It took me a whole 10 seconds to find NUMEROUS Microsoft Kernel exploits. And this is only a partial list:
XP:
http://www.securityfocus.com/bid/9694
NT4/2000/XP:
http://www.securityfocus.com/bid/7370
http://www.securityfocus.com/bid/3478
http://www.securityfocus.com/bid/4426
2000:
http://www.securityfocus.com/bid/6766
http://www.securityfocus.com/bid/8081
NT4/2000:
http://www.securityfocus.com/bid/10117
http://www.securityfocus.com/bid/1745
http://www.securityfocus.com/bid/1743
Now, that's plenty of kernel exploits, which proves your claim was moronic in the first place. But I digress.
I should have included a ton more, by all means, because of the way Microsoft designed their kernel. Just about every major program, although not "the kernel" is tied into the kernel in such a way that they should be considered part of it. Just look at securityfocus and go through all the exploits where regular programs are exploited to overwrite kernel memory. Frankly, I'd say Internet Explorer might well be part of kernel.
Wrong target (Score:3, Interesting)
And that's the real problem I wish Apple would catch on to.
The biggest security problem in Windows is one that most people, and most "official" security announcement sites, don't even pay attention to... and that is the tight integration between Internet Explorer and the rest of the system. It still amazes me that people don't routinely pillory Microsoft for the way their cynical legal tactics to bypass their agreement with the DoJ have made IE and Outlook the biggest virus distribution systems in the world.
And the way Apple has integrated FTP with Finder and is increasingly using Webkit in basic utilities and applications really disturbs me. Web-enabled installers (that automatically run the installer on a disk image mounted over HTTP (!)) are a horrifyingly bad idea, and "fixing" one of the security holes by having the installer pop up a warning before it runs scripts in the package is just daft.
This is a much bigger problem, and like Microsoft's abuse of IE it's a basic design flaw rather than a patchable bug. If you're going to demand action from Apple, work on this instead of worrying about whether they played enough "mea culpa" cards when patching a buffer overflow.
Mac OS probably has tons of vulnerabilities... (Score:2, Interesting)
Given that Apple only has 5% of the market share, spending your time writing a Mac virus is somewhat foolish in terms of investment/reward. Even if 50% of Mac users were infected with it, it would barely make the news because so few corporations use it.
It's when you talk about lost productivity and damage that viruses make the news.
Re:Reasons why... (Score:4, Interesting)
When it comes to security holes... publicity is a very bad thing. When a security hole is reported accross the mass media, it sends a wake-up call to hackers. When the patch to fix that security hole is released, it sends another wake-up call.
By underplaying the importance, and quietly fixing the problem... Apple's trying to say "Please, don't notice that." No, they can't exactly muzzle the press from talking about the hole, but by not answering media questions and by not making loud announcements when they patch holes, they end up making the life of a the media a lot harder... and that just means sometimes the story won't get written. And Apple likes when that happens.
There's a two-pronged reason for being happy. Of course, Apple's marketing people are happy that their reputation isn't damaged when there's less bad media reports... but also, hackers going after Apple end up getting less information. Afterall, loud mass-media mentions of a hole reveals information to everyone, but the enemy is a subset of everyone, and giving information to the enemy is rarely a good thing.
Re:About time the cat was belled (Score:2, Interesting)
A remote security hole is where you don't even need a user on the machine, and are thus more dangerous. But on a large, multiuser system, local exploits are just as dangerous, since it is usually trivial to get unprivileged access, perhaps through beating the crap out of the intern.
Re:Reasons why... (Score:2, Interesting)
Re:Reasons why... (Score:1, Interesting)
Lack of functionality implies lack of bugs, security or otherwise. Not a very interesting point, but undeniably true.
Re:Reasons why... (Score:5, Interesting)
Not really. If they don't tell the end user that the patch is critical, the end user doesn't install it as quickly as if they had been informed.
When software update pops up and says there's 50 megs of crap to download and a reboot or two will be required, I definately think twice about it.
I don't think people on dial up ever patch.. because downloading the 100 megs of updates that both Jaguar, Panther, and XP require has got to be hell.
Nessus and nmap tell a much different story (Score:5, Interesting)
This is FUD. Apple doesn't owe it to their customers to explain security holes. Why would they weaken their position so? Just keep quiet about it and fix it. And most of the security flaws of late were in third party packages that Apple didn't write.
The article has a sensationalist headline and it says that the OS X security holes, which never made it beyond proof-of-concept, because they were patched quickly, are more dramatic than SASSER, which has cost millions of dollars and possibly a few lives by knocking out banks and other financial institutions and the British Coast Guard. Holes that were never exploited and that aren't even exposed OOTB are worse than SASSER? Doesn't this fact prove this to be an agenda-driven article?
If not, then consider that @Stake, one of the cited sources, is Microsoft-owned and notirious for self-aggrandizing FUD designed to promote their services.
The reminds me of the FUD about an MP3 "trojan horse" vulnerability, which was blown way out of proportion as well. Such a theoretical virus was billed as an OS X vulnerability when it would in fact work in Classic as well. They tried to make a big deal about the fact that it was no longer safe to just double click on some file you downloaded. When was it ever?
'Tech' article riddled with bias. (Score:3, Interesting)
Apple and Microsoft are both big corp. entities;
as such the downplaying of security issues would be expected.
This strongly biased end user and multi platform support professional would like ad his 10 cents worth.
1. Apple and Microsoft both have services with discovered and
yet undiscovered flaws.
2. Apple and Microsoft both release security patches to address those flaws typically when *discovered*.
3. Apple tends to patch these flaws *before* they become a
problem for the end user base, discovery is typically done by the open source community on which many of these flaws were inherited.
4. Microsoft tends to patch these flaws after the end user base
has brought the problems to their attention, discovery is typically done by the end user base under extremely painful conditions.
5. Apple and Microsoft both have mechinisms for priv. separation, both suggest using them, only one really practices this at installation time (you guess).
6. Apple tends to use defaults that reduce system risk while increasing end user ease of use (sometimes this leads to potential damage).
7. Microsoft tends to use defaults that are historical in nature
while increasing system ease of use (scripting host, macros, com and wins?) but also tend to expose the end user in methods not easily understood by that end user.
Where am I going with this? this article is obviously a troll.
When asked about platform preference I suggest using the tool that is right at the time and place of need.
i.e. no money? linux and x86
i.e. money? modern mac hardware and OS X
i.e. you paying my bills? Solaris/Sparc Windows/X86
again, biased but hey!
Re:Mac OS probably has tons of vulnerabilities... (Score:3, Interesting)
<sarcasm>
Yeah, anyone who wrote a Mac OS X virus that worked would be instantly forgotten, because nobody ever remembers anything that's remotely embarassing to Apple.
Just like those two or three incidents of the PowerBook 5300 Li-Ion batteries that caught fire, nine years ago. It's so seldom talked about, [google.com] that it might be news to you that there was a problem at all.
</sarcasm>
~Philly
Re:Small marketshare myth (Score:4, Interesting)
Consider the extreme cases:
If there are two vulnerable machines, and the first one is infected by hand, it will take on average 2^32/2 or about 2 billion tries to find the other one.
If every IP address has a different infectable machine behind it, the work gets parallelized and a sufficently smart worm could infect every machine in the time it takes to do 32 infections. Even a less clever worm that probes randomly (thus duplicating a lot of effort) would infect nearly every machine after a few hundred infection-cycles.
Re:Reasons why... (Score:4, Interesting)
They may release the patch... but what if your computer is rendered useless by applying it?
Re:update mechanisms (Score:4, Interesting)
Re:Can you say Apache? (Score:2, Interesting)
And in turn, CERT's vulnerability count for apache can demonstrate this statement is simply false [cert.org].
And to qoute Shakespeare, "Even the devil can cite scripture for his purpose": if you want to fairly compare this to IIS's problem count [cert.org], you should include an application scripting environment, as IIS includes ASP. Let's say PHP, since it seems to be the most popular; we get this count [cert.org].
Quite close, aren't they?
- Oisin
FUD, marketing, and yellow journalism (Score:2, Interesting)
--> http://vyruss.cjb.net/computing/FUD_essay.html [cjb.net]
It's a bit long but this excerpt in particular seemed to relate perfectly to the subject being discussed:
Repeat after me: default ports. default ports. (Score:3, Interesting)
How many network ports are open when you install Mac OS X? NONE. not one. buy a mac, turn it on, put it on some network, run any port-sniffing utility against it, such as nmap from another machine, guess how many hits you get back? NONE. NOT ONE.
Now. Look at windows. for years m$ has wanted to facilitate the life of LAZY corporate network administrators and enable all kinds of services out of the box upon installing their operating system. This behavior has been "inherited" even in the more "personal" versions of windows.
NO OPERATING SYSTEM IS SECURE IN ABSOLUTE TERMS. Apple never made such claims, neither are mac os x users fooled into believing so. Security vulnerabilities are a fact of computing.
The key here is that security works in LAYERS. Just like Ogres and Onions, security has layers: Network, Operating System, Applications, User Education among a few.
Various practices promote better security at various layers. Apple has consistently been better at this than Microsoft ever has. Let's look at a few random considerations:
In OS X, software updates are handled thru a dedicated software update program that functions within user-level permission constraints. On Windows, you open your fucking web browser and go to windowsupdate.com to upgrade your computer, while the software installation happens INSIDE THE FUCKING BROWSER, all this made possible thru this security-holes-ridden framework called ActiveX. Now, try to educate users to NOT click yes on ActiveX warnings when they're about to download "this really cool screen saver"?
Most windows installations have for years at least enabled file sharing by default, and various pieces of other crap running on port 139. Web sharing, IIS, web-based admin, RPC, the list goes on.
The core pieces of OS X that are affected by security considerations are open-source, part of the Darwin framework. While security holes will always be popping-up, this approach to operating system development and maintenance promotes maturity and better security.
Since Apple has fairly nicely layered its security model in its operating system, impact of security holes are typically less dramatic. Most of what this article is accusing Apple of is not publicly scream "OH MY FUCKING GOSH THERE ARE A BUNCH OF HOLES IN OUR SYSTEM". Indeed, they sometimes put a bit of a spin and don't feed rumors any further. Just because Apple doesn't return calls from sensational-headline-hungry journalists, does not mean they're not actively working with the people they should be working with: Security experts. Just look at Apple's release notes. They're doing exactly what they should be doing: citing advisories outlining the security holes for anybody to look them up, and publicly acknowledging and thanking the people who found them.
Kieren McCarthy's article is ridden with fallacies, here's one of my favorites: "In other words, it makes Microsoft's current Sasser problems look no more than a nasty nip". I rest my case.
My favorite Apple communication story (Score:2, Interesting)
So, my bug was fixed in software that doesn't exist. At least they told me.
And I'm more amused than annoyed. At least one can submit bugs, and they generally have fixed all of them by the next major release. But open and communicative...not really.
Re:Where's the evidence??? (Score:4, Interesting)
What the hell is this, and idiot convention???
First off, I listed FOUR, count 'em, 4 exploits that affect XP. Second, I clearly said, in no uncertain terms, that this was a quickly-compiled, partial list. I listed less than half the Microsoft kernel exploits my quick search found.
How about the 'Client Server Run-time Subsystem'? How about Netbios? How about the Virtual DOS Machine (VDM)?
Windows doesn't just have the basic drivers in it's kernel, it has a lot more complicated cruft in there too.
Of course not, I was being facetious.
The program iexplore.exe is run in userspace, but the majority of the functions of the browser are not in the program, but in the OS itself. It is certainly not a solely user-space program.
Statistically true, but completely irrelivant. If programs like OpenSSH were made far less securely, Unix systems would have a far lower percentage of kernel flaws. The fact that Windows system security is crap should not be used to disregard the Windows Kernel problems, after all, it's the kernel that this thread is all about.
Re:Macs may have security holes, but... (Score:3, Interesting)
That is like saying my home is ultra secure because it has never been broken into, when, in reality, I leave my doors unlocked and all my windows open.
Your home may not be "secure," but it is safe; that is to say, it is a statement of social dynamics more than the number of padlocks on your doors when you say "I live in a safe neighborhood; I can leave my doors unlocked at night." That may be naive, and the first attack is always the most remarkable, but still it can essentially be true. Saying you don't need to lock up is true if you live in a community where break-ins are rare.
A similar statement can also be true of Macs and viruses, presently. Right now, it's simply a safer neighborhood. Growth may change that, but it hasn't, so far.
Re:Macs may have security holes, but... (Score:3, Interesting)
"A similar statement can also be true of Macs and viruses, presently. Right now, it's simply a safer neighborhood."
What I really want to know is if the "neighborhood" that Macs exist in suddenly turned as violent as the one that Windows is in, is if they would hold up. I think eventually, someone will try to create something that will attempt harm to Mac users and I would like to know how successful someone might be at this attempt.
Re:Wishing for a way to mod "journalists" as troll (Score:2, Interesting)
The controversial part of this practice is when the software vendor stalls the fix (which always happens). At what point does @stake go public with a vuln? Three months? A year? There are guidelines that all of these organizations have agreed to, but they aren't legally enforcable, and so there is a lot of gray area in how long a company can wait to release a fix, and how they must classify it afterwards.
Re:Where's the evidence??? (Score:3, Interesting)
I can't agree with that. If something must be run in kernel mode, it should be considered part of the kernel. The fact that Microsoft modularized their kernel does not change anything.
How about if the Linux kernel was incredibly small and simple, and just loaded all functionality via loadable kernel modules?
Normally, no. However, there have been numerous exploits against it, so there is obviously something wrong, at least in implimentation, not necessarily in theory. Anyhow, I was trying to prove a point, that there is much more to the kernel than just kernel32.dll and the like.
I have to disagree. There are some inherent problems with the NT design. Sure, most problems are implimentation issues, but there are certainly several design flaws as well.
Odd that absolutely none of them mention that debug privlidges are required...
They are the kernel. If they are loaded with kernel privlidges, they become the kernel.
No, I'd say 1 can be considered a DoS, the rest are privlidge escalation. Also, as I said, that was just the start of the list. There are many many more that I could have gone through and listed...