Apple Snubs Security Firm That Spotted Mac Botnet 409
Sparrowvsrevolution writes "Now that it's being increasingly targeted by botnet herders, Apple has a thing or two to learn about cooperating with friendly security researchers. Boris Sharov, the CEO of Dr. Web, the Russian security company that first reported more than half a million Macs were infected with Flashback malware last week, says when his company alerted Apple to the botnet, it never responded to him. Worse yet, on Monday Apple asked a Russian registrar to take down a domain it said was being used to host a command and control server for Flashback, but in fact was a 'sinkhole' that Dr. Web had set up to observe and analyze the botnet. Sharov describes the lack of communication and cooperation as a symptom of a company that has never before had to work closely with the security industry. 'For Microsoft, we have all the security response team's addresses,' he says. 'We don't know the antivirus group inside Apple.'"
Mac's don't get malware (Score:5, Funny)
Why would they communicate with a supposed security researcher who doesn't even know that?
Re:Mac's don't get malware (Score:5, Informative)
Can you please provide any links to folks that have claimed that Macs dont' get malware?
Here you go:
Mac Commercial (produced by Apple) [youtube.com] and Apple's own webpage [apple.com]
And yes, "viruses" are not the only kind of malware out there- most people on /. know that. But no one else in my family does, and neither do the vast majority of people those two examples target for marketing. Apple's claim that Mac's don't get "viruses", in my mom's mind, equate to "Apple's don't have malware".
Re:Mac's don't get malware (Score:5, Insightful)
Re:Mac's don't get malware (Score:5, Insightful)
The AV software for Apple is the same as it was for Unix and Linux. It was not that PC viruses could infect *nix. Microsoft, Norton, and McCaffee, were using propaganda marketing telling people that *nix file servers could not clean up viruses like a NT file server could and were dangerous since they could house viruses causing Windows to become infected. Since most VPs are dumb enough not to understand the unimportance of that marketing ploy, a lot of AV products sprung up for *nix and iOS.
Many of the vendors still produce AV software for OSes that don't really need it for that reason. I'll bet you can still find iOS AV software for a fee, the PT Barnum theory works as well today as it did when he was alive.
Re:Mac's don't get malware (Score:5, Insightful)
Well in all "honesty" apple's own webpage says "it doesn't get PC viruses". Technically, it doesn't.
Technically, it does. PC stands for Personal Computer, not Windows machine. Macs, just like Linux and Windows boxes are PCs. Since Apple are trying to use pedantry to obfuscate, holding them to definition of a PC is only fair, which puts them squarely back in the realm of lying.
Re:Mac's don't get malware (Score:5, Informative)
Just for kicks:
"The App Store revolutionized mobile apps. We hope to do the same for PC apps with the Mac App Store by making finding and buying PC apps easy and fun. We can’t wait to get started on January 6."
--Steve Jobs
Re:Mac's don't get malware (Score:4)
If you want to be picky then Bootcamp is an official Apple product that allows you to run Windows, and by extension Windows viruses. It can also run Linux, and by extension the tiny number of mostly proof-of-concept Linux viruses.
Actually you can run various vulnerable software directly on MacOS, such as older versions of Safari or Apache.
Apple claimed there were no viruses. There are viruses. You are dancing on the head of a pin.
Re: (Score:3)
No, Macs do not get viruses. This type of malware is not a virus; it does not infect, does not travel from mac to mac, and does not install without permission. The malware is installed precisely because someone gives it permission. You can't stop people from installing malware - it's just human nature. If this is a virus, than so is Facebook.
Re: (Score:3)
Well in all "honesty" apple's own webpage says "it doesn't get PC viruses". Technically, it doesn't; it gets Mac malware.
Technically Macs are Personal Computers, so yes, they get PC viruses (or malware). They may not be subject to *Windows* viruses (if they're not running Windows in a dual-boot or VM configuration), but Windows isn't a PC anyway, it's an OS.
Re:Mac's don't get malware (Score:5, Funny)
mac's aren't PCs. they're crystallized mana from heaven.
Re:Mac's don't get malware (Score:4, Informative)
Cast your mind back to the early 1980s, the era of the Commodore PET, the ZX81, the TRS 80. They were all personal computers, known as PCs. Then in 1981 IBM launched the IBM PC and swiftly manufacturers sprung up selling IBM PC compatibles. Within a year the letters PC had developed dual connotations - personal computer and PC compatible - compatible with the IBM PC. This duality of meaning has survived to today, so while you can (correctly) fulminate that the Mac is a PC, others will (correctly) fulminate that it isn't. You'll have to get used to that, I'm afraid.
Re:Mac's don't get malware (Score:5, Insightful)
From Mac's website: "A Mac isn’t susceptible to the thousands of viruses plaguing Windows-based computers. That’s thanks to built-in defenses in OS X Lion that keep you safe, without any work on your part."
1) No shit a Mac isn't susceptible to PC viruses. PC's aren't susceptible to Mac-only malware either
2) In this case, my car isn't susceptible to Windows-based viruses thanks to built-in defenses of it's windshield. Viruses weren't written for my windshield, so that counts as a built-in defense, right?
Re:Mac's don't get malware (Score:5, Funny)
Yes, but debugging your windshield is still necessary every once in a while
Re:Mac's don't get malware (Score:5, Funny)
Honestly, the best way to debug a windshield is a full wipe.
Re: (Score:3, Interesting)
Re:Mac's don't get malware (Score:5, Funny)
I guess you don't use Windows Calculator?
Re:Mac's don't get malware (Score:5, Interesting)
I guess you don't use Windows Calculator?
No, because I prefer that the (square root of 4) minus 2 to equal 0, not -8.1648465955514287168521180122928e-39
Re:Mac's don't get malware (Score:4, Interesting)
So, it acts like a scientific calculator and doesn't do rounding. What do you expect it to do, your computer returns that same value if you code that in C.
Re: (Score:3)
OSX's calculator gets it right even in scientific calculator mode. There's no excuses for getting it wrong as Windows does.
How does Linux fare?
Re:Mac's don't get malware (Score:4, Insightful)
What rounding? The square root of 4 is 2. There's no fractional part. Subtract to and the answer is 0. Again, no fractional part.
I haven't tried it in C, but if a particular implementation also returns something other than zero, then it is also defective.
Re: (Score:3)
More so. All OSs that accept third party applications are vulnerable to malware. Most calculators don't make mistakes in simple calculations.
Re: (Score:3)
Re: (Score:3)
But Macs are PCs.
Jobs said so..
http://technologizer.com/2010/12/16/apples-mac-store-is-a-go-and-the-mac-is-a-pc/ [technologizer.com]
Re: (Score:2, Informative)
Sorry but that says ,"Macs dont get PC viruses" which is 100% correct. It's just like Microsoft saying "everyone loves windows" IT's true just out of context and misleading.
Re:Mac's don't get malware (Score:5, Informative)
Re:Mac's don't get malware (Score:5, Interesting)
Macs are PCs. Don't tell me they're mainframes.
Ever seen the ads that begin with: "I'm a Mac" "I'm a PC"
Apple seems to think that Macs are not PCs
Yes, but the Reality Distortion Field has been decreasing in strength as of late. Apple's own moderation of Java updates allowed this one to flourish, the Apple devout can't pass the buck onto another vendor this time. It's foolish to presume that a large installed base of users unconcerned with security would go ignored forever.
Re:Mac's don't get malware (Score:4, Informative)
Apple does believe macs are PCs.
http://technologizer.com/2010/12/16/apples-mac-store-is-a-go-and-the-mac-is-a-pc/ [technologizer.com]
Re:Mac's don't get malware (Score:5, Insightful)
Unless you happen to be one of the 600,000 who clicked on a bogus/rigged link on a spoofed site and got this Flashback Trojan installed.
Re: (Score:3, Interesting)
Unless you happen to be one of the million or more who clicked on a bogus/rigged link on a spoofed site and got this Flashback Trojan installed.
FTFY
The majority of Macs have one of the cheap/free pieces of software that prevented this trojan from installing - Little Snitch, Xcode, VirusBarrier X6, iAntiVirus, avast!, ClamXav, HTTPScoop, Packet Peeper. I said have rather than run as it is sufficient that the path to the application existed, and the application did not need to be running.
Re:Mac's don't get malware (Score:5, Informative)
You're right how dare they, "get infected with BackDoor.Flashback.39 after a user is redirected to a bogus site from a compromised resource or via a traffic distribution system. JavaScript code is used to load a Java-applet containing an exploit."?
"According to some sources, links to more than four million compromised web-pages could be found on a Google SERP at the end of March. In addition, some posts on Apple user forums described cases of infection by BackDoor.Flashback.39 when visiting dlink.com."
Source: http://news.drweb.com/?i=2341&c=5&lng=en&p=0 [drweb.com]
Gotta be careful downloading all of that "kracked shit" from manufacturer's own websites.
Re:Mac's don't get malware (Score:5, Informative)
Also:
As PCMag's Security Watch noted yesterday, Mac users did not have to download or even interact with the malware to become infected. Websites exploited a Java flaw that let Flashback.K download itself onto Macs without warning. It then asked users to supply an administrative password, but even without that password, the malware was already installed.
From here:
http://www.pcmag.com/article2/0,2817,2402641,00.asp [pcmag.com]
So - yes, it required a trojan-esque password entry to fully activate, but it installed and was active even without it. Which means that it was probably ready and waiting for the next legitimate use of a password entry.
Your walled garden has been breached, and instead of putting your head in the sand, perhaps you'd better wake up to the fact that yes, security really is, at the end of the day, the user/owner's responsibility.
Re:Mac's don't get malware (Score:5, Informative)
Re: (Score:3)
WAY too many people saying what you're saying for this to still be a nerd site.
Virus == malware, but malware !=virus. I don't expect muggles to understand this, but it saddens me that anybody posting at slashdot would be ignorant about it.
Re: (Score:3)
Can you please provide any links to folks that have claimed that Macs dont' get malware?
PC's get viruses... [youtube.com], the implication that Macs don't. There are plenty more examples although I am sure Apple has never been foolish enough to state outright that Mac's don't get malware the implication is clear often enough. And do your own fucking homework.
Re: (Score:3)
Their claims were explicit in that they differentiated PCs from Macs ("I'm a Mac.", "And I'm a PC.") and referred to PC viruses.
But Macs are PCs according to Apple:
The App Store revolutionized mobile apps,” said Steve Jobs, Apple’s CEO. “We hope to do the same for PC apps with the Mac App Store by making finding and buying PC apps easy and fun.
Apple’s Mac App Store to Open on January 6 [apple.com]
Re:Mac's don't get malware (Score:4, Informative)
Re:Mac's don't get malware (Score:5, Insightful)
The reason they don't know about Apples antivirus group is that it's the same one as their legal department. Operating on the basis that if people can't see or hear or know about viruses and botnets, then they don't exist.
Safeguard your data. By doing nothing. (Score:5, Funny)
Re: (Score:2)
http://www.youtube.com/watch?v=2s1MspmfEwg
Re:Safeguard your data. By doing nothing. (Score:4, Funny)
"It doesn’t get PC viruses."
In other news, my electric car doesn't suffer from problems caused by low quality gasoline.
Re:Safeguard your data. By doing nothing. (Score:4, Funny)
Slashdotter who is Apple customer Testimonial: "I thought it was just an innocent file containing photos of goats..."
Re: (Score:3)
Fun game, substitute "data" with various other nouns, like "kids" and enjoy measuring how true the statement still is.
Re: (Score:3)
Though people will pile on Apple (rightfully, see more below) you do need to remember that this hubris is somewhat justified. There was a time when Windows had tens of thousands of viruses to Mac OS's maybe, 8. Macs were just more secure. This was early web days, and there was some department of the government that recommended Mac OSX webservers. Partly because of design, partly because of the PowerPC chip which was hard to write exploit code for. Windows machines were defective by design. Outlook viruses w
there is no Apple AV group (Score:5, Funny)
Mac's don't get viruses. it used to be magic pixie dust protected all the Mac's but my MacBook Pro and others bought since the death of St. Steve are protected by His Spirit
Re:there is no Apple AV group (Score:4, Informative)
Flashback isn't a virus...
Re:there is no Apple AV group (Score:5, Funny)
Re:there is no Apple AV group (Score:5, Informative)
Granted, this is
Re:there is no Apple AV group (Score:5, Informative)
Apparently I still go by the traditional definition. What do you think I'm missing?
Re:there is no Apple AV group (Score:5, Insightful)
If this is a trojan, then exactly what piece of legitimate software is it piggybacking on in order to get installed? It sounds to me like it's exploiting a Java vulnerability using an applet that does not disguise itself as something useful, it is specifically to install the payload. That sounds like a traditional virus. Previous versions that were actual trojans were embedded in warez downloads.
Re:there is no Apple AV group (Score:5, Informative)
It sounds to me like it's exploiting a Java vulnerability using an applet that does not disguise itself as something useful, it is specifically to install the payload. That sounds like a traditional virus.
A virus is self-propagating. AFAIK, while this does propagate over networks, it isn't self-propagating (i.e.: infected nodes don't go around infecting other nodes). Hence, not a virus.
That's not to diminish its threat; simply that correct taxonomy aids in discourse towards finding a solution, and preventing similar malware in the future.
Yaz
Re: (Score:3, Informative)
A virus is self-propagating. AFAIK, while this does propagate over networks, it isn't self-propagating (i.e.: infected nodes don't go around infecting other nodes). Hence, not a virus.
No, a "virus" propagates when you boot your computer from a floppy disk that you got from your friend. A "worm" is the one that goes out on its own over the network.
Re:there is no Apple AV group (Score:5, Informative)
Woo pedantic! Here are the given definitions, as I understand them:
Virus = self-propagating, but does not run on its own. Requires some legitimate program which it exploits and modifies saved data to maintain itself. For example: a virus would enter a system as an infected word document, which would add macros into your copy of word infecting all of the word documents you edit after becoming infected. In general, the virus itself is not very useful, but frequently they're used as a piggy-back which downloads a...
Trojan-horse = program which gives a malicious user control over a system remotely. This is frequently done via IRC, but newer programs have become far more sophisticated using P2P protocols of their own design or hiding it as fake HTTP requests making traffic analysis more difficult. The trojan horse itself is NOT self-propagating, but it will put a ton of hooks around the system to re-download/re-deploy itself if it gets shut off. In general its only goal is to just keep running and allowing the malicious user to abuse the machine. Now frequently the malicious user will use the trojan horse to send out fake emails or other things which leads to propagation, but the program itself doesn't necessarily do it.
Worm = program which attempts to spread itself. It gets on a host machine and does something (normally immediately, sometimes with an incubation period, frequently involving email, sometimes 0-day exploits to networked computers) to try and get to more machines. After it has attempted to spread itself around, it will frequently follow-up by downloading a trojan horse, or sometimes it will contain the trojan horse functionality itself.
Straight up worms have kind of fallen out of style these days though. They're a bit too obvious and their repeated, predictable behaviour leads to them being spotted and blocked after not very much time out in the wild. And without some sort of trojan horse functionality there's not much point. Trojan horse functionality allows a central command to update the code and makes the worm a more useful product, eventually getting it on more computers and keeping security researchers guessing longer.
Anyway, hope this actually gets modded up by someone and people use these and or tell me I'm an idiot.
Re:there is no Apple AV group (Score:5, Funny)
Ah, but you're right. This isn't a virus. It's a trojan. And we all know that Trojan's protect dicks.
(sorry Apple fans, that one hung out there just a wee too much).
Re:there is no Apple AV group (Score:5, Funny)
that one hung out there just a wee too much
That's what she said!
Re: (Score:3, Interesting)
When was the last time ANY computer got a "virus"? A self replicating piece of code that spread from that PC via contact with storage media, etc.?
"Viruses" are long dead. They are now worms, trojans, spyware, etc. etc. They do not spread the way a real virus spreads. Its an antiquated term than people just use to mean "malware" these days.
So apple can certainly claim they do not get "viruses". Neither do PC's.
'We don't know the antivirus group inside Apple.' (Score:2, Informative)
Because there isn't one?
*rimshot*
Of course not. (Score:5, Insightful)
We don't know the antivirus group inside Apple.
Apple is to arrogant to admit they have any flaws, so odds are there isn't one.
Just like with the iPhone 4 antenna, they'd rather take bad PR and have their users suffer than admit there's an issue.
Re:Of course not. (Score:5, Insightful)
As much as I love Apple products, I hate their arrogance towards anything related to security. Could break their neck.
Re:Of course not. (Score:5, Funny)
Re:Of course not. (Score:5, Interesting)
Judging by the actual support and bugfixes most Apple software seems to get (ie, none - they're worse than Microsoft in this regard, by a long shot),
Apple's MO is as follows:
* ignore the claims
* deny the claims
* blame the users when popular appeal brings large media attention (it rarely gets this far)
* offer a weak consolation, still blaming the user.
Blaming the messenger (Score:5, Informative)
"I found a security hole in your OS....."
"It's your fault scumbag. Keep quiet!" - Apple. Other companies have tried the same tactic, trying to silence/punish security people from publishing known holes. Like Microsoft. Sony. Nintendo. The Bluray Cartel.
Re:Blaming the messenger (Score:5, Informative)
Re: (Score:2)
However, I think you can forgive Apple not having heard of them before now. Especially given that all of their tools are Windows focused.
Re:Blaming the messenger (Score:5, Insightful)
Eh? Not to make a "no true Scotsman" plea, but the security world is not that big. If Apple hasn't heard of them before, it means that Apple has no presence in this field. Not surprising when you consider that can't seem to keep their top-secret iphone prototypes in their pants.
Next, you'll excuse Utah for not knowing that Oracle is a giant security suck-hole. And in other news, RSA didn't realize that PDFs can carry exploits. Uh...
'We don't know the antivirus group inside Apple.'" (Score:5, Informative)
Because there aren't any, I worked for them and customers that called in were routinely told there is nothing to worry about when it comes to malware.
On their corporate side you would be amazed at who states exactly the same thing when they should know better.
Just a taste:
http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=OS+X&filter_exploit_text=&filter_author=&filter_platform=0&filter_type=0&filter_lang_id=0&filter_port=&filter_osvdb=&filter_cve= [exploit-db.com]
To paraphrase Steve J... (Score:2, Funny)
"It's not the job of Russian security firms to know where our security holes are"
And also, Macs only get malware "when you hold it wrong"
No overwhelmingly surprising (Score:5, Informative)
Re:No overwhelmingly surprising (Score:5, Insightful)
But in Apple's defense, the permissions structure of Macs are inherently different than on a Windows machine.
Most mac users run at normal user level, a la Linux/Unix. When the computer needs to do something at the priveleged level, it asks for a password.
Most Windows users usually run as administrator by default. Anytime some virus/trojan wants to do something, it just prompts the user with a "Hey, Windows Explorer wants to do something. Continue?"
There is something different about having to type in a password than just clicking ok. Then again, Windows has so many random dialogue boxes that most users don't read them anymore.
Re: (Score:3)
But in Apple's defense, the permissions structure of Macs are inherently different than on a Windows machine.
So? You still write a virius for it, you just have to find the weak spot. There have been virii for Unix-ish machines too,
Re:No overwhelmingly surprising (Score:5, Insightful)
Re:No overwhelmingly surprising (Score:4, Interesting)
Re: (Score:3)
Re: (Score:2)
Pride goeth before the fall.
They don't know the antivirus group inside apple? (Score:2)
I don't know what they are talking about. What antivirus group inside Apple?
Why do we support liers? (Score:3, Interesting)
Re:Why do we support liers? (Score:4, Funny)
It's not their fault if they think different.
What viruses don't we know about? (Score:2)
The iPhone is a juicy target for attackers. One wonders what attacks on the iPhone are in the wild but not generally known. Especially attacks that target individuals of interest.
Corroboration? (Score:5, Interesting)
As with any other claimed discovery, I'd like to see independent corroboration. I'm not saying it doesn't exist, just that I personally haven't seen it. Everything I've read credits Dr.Web as the source. Has nobody else confirmed their findings?
In my experience... (Score:5, Interesting)
Not surprisingly, the summary is not as accurate as the article.
Sharov may describe this as "a symptom of a company that has never before had to work closely with the security industry", but the article correctly points out that it's more a symptom of having "little experience working with the community of security researchers who aim to dissect and shut down botnets." The botnet security community is different from the general security community. As far as I know, Apple has a decent working relationship with the latter. It's no real surprise they have limited experience working with the anti-botnet community, since until now they haven't really had botnet problems.
The article also notes that Dr. Web is relatively unknown and that in the opinion of Kaspersky (which is at least more well-known), Apple is taking the usual appropriate steps.
As far as them not getting a contact back, that disagrees with my experience in reporting a security vulnerability to Apple. You send a message to their easily-found, catch-all "security" address. In relatively short order, a security engineer gets in touch with you, and you communicate with that person from that point on. It seemed to work just fine, unless, I suppose, you're egotistical enough to think that you should be able to pick up the phone and talk to someone at Apple immediately -- which is a common-enough problem in security.
Re: (Score:2)
Macs don't get viruses, tardo. This is a trojan. This guy claims to be a 'security researcher' but doesn't know the difference?
I think we might as well get over having lost this battle. All of the major media outlets (and thus the vast majority of Mindless Media consumers) are calling it a 'virus'.
But not to worry, we've got lots of other technological windmills to tilt at.
Re: (Score:3)
Meh, close enough.
Trojan virus vs. trojan malware. Yes, it's technically not a virus, but it is a piece of malware that the Mac-heads have been convinced they are immune to. And it is, no doubt, the first of many; in time, if someone actually cares, perhaps a real virus (CIH style) will be created for the Mac. You know, something with a timebomb, that goes undetected, then fries the disk firmware?
Re: (Score:3)
Except that this was well enough done to nail 600,000 Apple users:
http://www.forbes.com/sites/andygreenberg/2012/04/06/researchers-confirm-flashback-trojan-infects-600000-macs-being-used-for-clickfraud/ [forbes.com]
Re: (Score:3)
You do realize that flashback evolved to where it needed neither, right? Unles you have Windows-style habits of relentlessly patching every thrid-party toolkit on your box, flashback is perfectly capable of installing itself without your assistance (beyond browsing the web in a normal way).
Re: (Score:3)
It seems that hundreds of thousands of normal people would. And with all the CA problems in the past few years, they would be signed if that was actually needed for them to spread.
Re: (Score:3)
Re:"We don't know the antivirus group inside Apple (Score:4, Informative)
'We don't know the antivirus group inside Apple.' means they haven't been to able to talk to them and get to know them. I saw the website, and I feel safe saying I don't know the Apple AV group. I'm sure Sharov found the website. As they said in the article, they just get no response from Apple.
Re:"We don't know the antivirus group inside Apple (Score:5, Insightful)
They did that. They sent email there. They got ignored. What they have for Microsoft, what they *don't* have for Apple, is direct phone numbers/email addresses for the right personnel.
Re:"We don't know the antivirus group inside Apple (Score:5, Insightful)
Seriously? It's that difficult to understand the difference between a generic address that goes $DIETY knows where (and mail rent to it is probably vetted by an intern) and the actual address of the responsible individual(s)/team(s)?
Re:"We don't know the antivirus group inside Apple (Score:4)
That page does not have a single direct contact.
Attempts to contact Applie via info provided on that page apparently, according to Dr. Web, go nowhere.
Re:"We don't know the antivirus group inside Apple (Score:5, Interesting)
I e-mailed that address and got a response from a security engineer. Perhaps Dr. Web is holding it wrong.
Re:"We don't know the antivirus group inside Apple (Score:5, Insightful)
Do you know the difference between communication channels for customers and those for partners and specialists?
I work in an IT support position, and sure, if I need to contact a special group (say the Exchange administrators) I could use the phone numbers used by the customers... and would waste valuable time by making the call center agent on the other end understand that I need to speak with the admins directly.
To avoid this, we have phone numbers and email addresses of those other divisions. You know: A direct line.
The security companies have direct lines to the security teams from Microsoft, and certainly Oracle, Red Had etc.
This is to everybody's advantage, as it reduces friction and increases response times.
Only Apple doesn't understand that they are part of an ecosystem where everybody relies to some extend on everybody else...
Re: (Score:3)
The Apple Security address isn't for customers, it's for security researchers.
Re:"We don't know the antivirus group inside Apple (Score:5, Interesting)
As someone who has found and reported a (now) patched security vulnerability [nist.gov] to that email address, I can say that I agree with Boris Sharov's complaint. You do get an automated response with a case #, that includes the text
We do not automatically provide status updates on issues as we work on them, but please feel free to request one if needed by replying to this message.
However, I received no replies to when I did request status updates (and supplied additional information about the affected systems with explicit instructions about what needed to be done to fix existing systems). Even when I contacted other sources (Secunia, who confirmed the problem, and US-CERT), I received nothing from Apple. Nor was the problem addressed in two releases of QuickTime in the year following my report.
How I finally got a reply from Apple was sending an email to sjobs@apple.com on Sept 4, 2010 with a copy of the now year old security report, and my statement that I was taking it to the full-disclosure list if I didn't hear back from Apple by Sept 15th. Fewer than 6 hours later (on a Saturday), I had a status update from Apple. Here's the meat of that reply:
Just wanted to let you know that a fix for this issue has been identified, and we are targeting an upcoming release of QuickTime to address it.
We provide status updates upon request.
Subsequent emails always got a reply, but before I sent my email to sjobs, it was like talking to a wall. Also, despite assurances that they understood the extent of the problem and my explicit instructions about needed remediation for affected systems, when they finally released the fix 3 months later, it only corrected the problem and did not provide remediation for the permissions on already affected systems, nor did it even mention that there were permissions to be fixed.
When it became clear that no remediation fix, nor an acknowledgement of the problem was coming from Apple, and ample time had passed for users to have installed the updated version of QT, I submitted my own fix to the Full Disclosure [seclists.org] mailing list.
In total, it was 15 months for Apple to release a fix, a fix that in all likelihood involved altering or removing two lines of code that were granting excessive privileges to specific directories. Even then, they did not correct the permissions on machines that were already affected.
So, in my opinion, Apple has a long way to go in developing and maintaining communications with those who report security vulnerabilities. And in acting upon those reports in a timely and responsible way.
Re:"We don't know the antivirus group inside Apple (Score:4, Funny)
OS X has what, TWO viruses now?
Soon my armies shall pour forth from the shattered sandbox, ravaging this OS and all hope of resistance. My minions will find the vulnerability, wherever you choose to hide it. Then, at long last, BSD shall reign as the prime OS.
Re:"We don't know the antivirus group inside Apple (Score:5, Insightful)
OS X has what, TWO viruses now?
Wow, they sure are creeping up to the millions on Windows platforms.
Enjoy it while you can, arguments like that have their days numbered.
Re:"We don't know the antivirus group inside Apple (Score:4, Insightful)
You only need one bubonic plague...
It doesn't matter how many mac viruses there are as long as apple continues to plug it's ears when it comes to mac viruses.
Re:And? (Score:5, Insightful)
Yes, they don't have much communication and cooperation with the 'security industry' since it is mostly full of leeches and parasites who make money spreading fear. Now, this doesn't excuse them from failing to acknowledge issues, since that's just as bad, but the less this 'industry' leeches itself to OS X the better.
Yeah, just let the trojan spread unacknowledged. Ignore it and it will eventually go away, right?
"Leeches" or not, someone needs to work on stopping malware. MS didn't step up the plate in the past, and I have little reason to think Apple will now (after all, their website still claims "Macs don't get viruses".)
Re:And? (Score:5, Insightful)
A leech that swims by and says "hey, did you know you are bleeding?" isn't much of a leech. Other than a bit more fame, what does dr web gain from this, it's not like they are extorting apple.
I'm curious were you picked up the idea that security researchers and fake-av sellers were somehow related?
Do you also assume that anyone yelling "fire" in a crowded building is just trying to make everyone scared? if so, I hope you are in a building fire some day so you can ignore the warning, safe in your fire-proof pants
Re: (Score:3)
The Apple slogan "Think Different" could just as easily be "It's Not Me, It's You". Oh they'll own up to things eventually, but not before playing some
Re: (Score:3)
Apple, its employees and its users are legendarily arrogant.
Unlike, say, Linux...