Researcher says that Apple "struggles" with security
Interesting article with some good suggestions.
http://www.theregister.co.uk/2009/06...y_suggestions/
http://www.theregister.co.uk/2009/06...y_suggestions/
Comments
Interesting article with some good suggestions.
http://www.theregister.co.uk/2009/06...y_suggestions/
Mogull's remaining two suggestions are:
* Establish a security response team to manage communications between internal employees and external researchers reporting vulnerabilities in Apple products, and
* Manage vulnerabilities in third-party software.
Apple has yet to respond to criticism about the vulnerable version of Java it continues to ship with its Macs. ®
Ahh. The only reason you posted this article.
Ahh. The only reason you posted this article.
No, not really, although that was one of the reasons.
The problem that Apple has is that while OS X was architected with security in mind, it depends on third party code, much of it open source. One example is the FreeBSD shell. Another is Java.
If a security bug is found in the current production release of FreeBSD (ex 7.0) that was present since the previous release (ex 6.0), then the FreeBSD devs will generally patch it pretty quickly. However, Apple's current OS will most likely be based on FreeBSD 6.0 (making up version numbers) and won't be upgraded to 7.0 until the next version of OS X. This means that there will be a problem integrating such a fix right away, because it has to be done in a way that doesn't compromise functionality already in OS X. Meanwhile, the bug is out in the open because FreeBSD is open source, and it will be ripe for exploitation until Apple patches it.
The same is true of Java. Apple chose to maintain its own version of Java, separate from Sun's. Since Java is now open source and has a public bug database, bugs in Java are out in the open for anybody to exploit. In maintaining its own version of Java, Apple will be always be behind Sun, and the same problems in integrating security fixes from FreeBSD will apply.
The Java security bug that Apple still hasn't patched underscores this problem, since it's a vulnerability that can allow a remote attacker unrestricted access to the filesystem.
This is the major reason why Apple needs a new security policy. Security through obscurity failed for Microsoft and Windows, and it's going to fail for Apple and OS X.
No, not really, although that was one of the reasons.
...
This is the major reason why Apple needs a new security policy. Security through obscurity failed for Microsoft and Windows, and it's going to fail for Apple and OS X.
Wow! Such complete nonsense.
No, not really, although that was one of the reasons.
The problem that Apple has is that while OS X was architected with security in mind, it depends on third party code, much of it open source. One example is the FreeBSD shell. Another is Java.
If a security bug is found in the current production release of FreeBSD (ex 7.0) that was present since the previous release (ex 6.0), then the FreeBSD devs will generally patch it pretty quickly. However, Apple's current OS will most likely be based on FreeBSD 6.0 (making up version numbers) and won't be upgraded to 7.0 until the next version of OS X. This means that there will be a problem integrating such a fix right away, because it has to be done in a way that doesn't compromise functionality already in OS X. Meanwhile, the bug is out in the open because FreeBSD is open source, and it will be ripe for exploitation until Apple patches it.
The same is true of Java. Apple chose to maintain its own version of Java, separate from Sun's. Since Java is now open source and has a public bug database, bugs in Java are out in the open for anybody to exploit. In maintaining its own version of Java, Apple will be always be behind Sun, and the same problems in integrating security fixes from FreeBSD will apply.
The Java security bug that Apple still hasn't patched underscores this problem, since it's a vulnerability that can allow a remote attacker unrestricted access to the filesystem.
This is the major reason why Apple needs a new security policy. Security through obscurity failed for Microsoft and Windows, and it's going to fail for Apple and OS X.
You clearly don't get Apple's FreeBSD foundations and how it fits into their ecosystem with the Mach microkernel [now prominently back with Snow Leopard].
Perhaps you should complain to Hubbard at Apple all about it.
Here: http://people.freebsd.org/~jkh/
You can email him and tell him he's a moron and doesn't know FreeBSD and OS X Security:
Afterall, as you can see:
http://people.freebsd.org/~jkh/resume/jkres3.html#3
He's in charge overseeing UNIX, BSD, security and more:
Since June of 2005, I have been the Director of UNIX Technology, a larger organization which comprises the BSD technology, OS Security, Data Security and Vector and Numerics groups.
I'm sure Jordan is clearly going to default to your knowledge on such matters.
Here's a proof of concept. Try it out if you don't believe me (it's harmless but demonstrates how severe the security hole is):
http://landonf.bikemonkey.org/code/m....20090519.html
What's more, Apple left Java enabled by default in Safari. They could have at least had the common sense to turn it off.
This is a gaping hole in Apple's security policy any way you cut it, and is totally indefensible. It makes me wonder how porous the rest of Apple's security policy is.
If Apple can't be bothered to maintain Java properly (which they clearly aren't), then they should let Sun do it.
You clearly don't get Apple's FreeBSD foundations and how it fits into their ecosystem with the Mach microkernel [now prominently back with Snow Leopard].
Perhaps you should complain to Hubbard at Apple all about it.
Here: http://people.freebsd.org/~jkh/
You can email him and tell him he's a moron and doesn't know FreeBSD and OS X Security:
Afterall, as you can see:
http://people.freebsd.org/~jkh/resume/jkres3.html#3
He's in charge overseeing UNIX, BSD, security and more:
I'm sure Jordan is clearly going to default to your knowledge on such matters.
It would seem the case for patching this particular hole would be stronger if not overstated. Apple has typically responded quite quickly in patching exploits. A patch is deserved but the situation really isn't that dire.
Also, I'm not buying the security through obscurity meme. Sure, it rhymes and people tend to believe things that rhyme. (no really, it's true) But Apple has been so high profile for such a long time that there would be great prestige in creating the first OS X virus.
So yeah, it's bound to happen. OS X will have it's first virus someday. But it hasn't happened yet. Meanwhile, our hundred PCs here at work provide a lot of job security for our desktop support personnel.
A real world analogy is this. I lived in a small town growing up. We never locked our doors and many people never took their car keys out of the ignition when parked overnight in the driveway. Hell, I didn't even have a key to my home in highschool. As the town grew, it was more and more likely for theft to occur. Yet until it did, should everyone have lived in fear, thinking OMG, we're just secure through obscurity? My answer is no. It would be better to wait for someone's home to finally be burglarized. At that point, a reevaluation might be necessary. In the meantime, anything from McDonalds to sun exposure still poses a greater risk to everyone's wellbeing. I had confidence that neighbors and the police force were actively taking all this into account and acting appropriately. General panic wasn't necessary.
I prefer real-world metrics. How likely are users to have problems and how severe would the damages be? This is balanced against the effort involved in patching security holes. So far, I'd characterize Apple as one of the best in the industry in handling this balancing act. Their users continue to live problem free despite continual reports that the sky is falling.
There will come the day when the first true virus hits and it will be all over the internet and TV news programs. Even the morning talk shows will be talking about it. But my guess is, even then, that it won't be that bad. A relatively small number of people will be affected, the security hole will be patched, and life will continue as usual.
In the meantime, sensationalist opinion pieces on Apple's lack of security will continue to drive click-counts.
Also, let me disclose that I'm a Java developer, so I'm also a Java advocate.
Having said that, if the Java vulnerability were ever show to be the *only* significant security hole in OS X, then Apple should still be harshly evaluated as having a contemptible security policy borne out of total incompetence, especially since they didn't even bother to disable Java in Safari.
Had I not explicitly disabled Java in both Safari and Firefox, my computer would be wide-open to an attack in which visiting the wrong website could result in somebody executing this command:
# rm -rf /*
There would be no password prompt. This vulnerability effectively bypasses any admin user mechanisms.
To go back to your analogy, the Apple community may have been like a small town in the late 90's and early 2000's, but now it's becoming more like a medium-sized city with approximately 20% of the U.S. computing installed base (forget about market share, that metric is useless). It's getting to the point where we should all lock our doors, leave some lights on when we're not home, and get some burglar alarms.
What's more, this Java vulnerability is analogous to the kryptonite lock being opened by a Bic pen:
http://www.engadget.com/2004/09/14/k...-by-a-bic-pen/
It didn't really matter how many bicycles were actually being stolen. What mattered was that they *could* be stolen.
When I accuse Apple of using security through obscurity, I'm referring to their culture of secrecy:
1) Onerous NDAs for any developer previews, including Java versions. I can't even ask a question about a Java developer preview without violating the NDA.
2) Absolutely no public bug database, despite the fact that Apple distributes open source code with their products. I haven't heard of any other software vendor that does not have a public bug database.
3) Sparse information distributed with OS X updates, including security updates.
This is conclusive evidence that Apple is deliberately impeding transparency on at least some of their products. This, to me, is ample evidence to accuse them of security through obscurity.
So, as I said before, if the Java vulnerability, which is huge, is any indication of Apple's overall security policy, then they're in big trouble.
And, yeah, I'm not letting Microsoft off the hook for their past security mistakes, but it is possible to lock down a Windows box by taking some simple precautions, like creating separate non-admin accounts and disabling certain services.
I'm all for holding Apple's feet to the fire... but is the sky really falling?
It would seem the case for patching this particular hole would be stronger if not overstated. Apple has typically responded quite quickly in patching exploits. A patch is deserved but the situation really isn't that dire.
Also, I'm not buying the security through obscurity meme. Sure, it rhymes and people tend to believe things that rhyme. (no really, it's true) But Apple has been so high profile for such a long time that there would be great prestige in creating the first OS X virus.
So yeah, it's bound to happen. OS X will have it's first virus someday. But it hasn't happened yet. Meanwhile, our hundred PCs here at work provide a lot of job security for our desktop support personnel.
A real world analogy is this. I lived in a small town growing up. We never locked our doors and many people never took their car keys out of the ignition when parked overnight in the driveway. Hell, I didn't even have a key to my home in highschool. As the town grew, it was more and more likely for theft to occur. Yet until it did, should everyone have lived in fear, thinking OMG, we're just secure through obscurity? My answer is no. It would be better to wait for someone's home to finally be burglarized. At that point, a reevaluation might be necessary. In the meantime, anything from McDonalds to sun exposure still poses a greater risk to everyone's wellbeing. I had confidence that neighbors and the police force were actively taking all this into account and acting appropriately. General panic wasn't necessary.
I prefer real-world metrics. How likely are users to have problems and how severe would the damages be? This is balanced against the effort involved in patching security holes. So far, I'd characterize Apple as one of the best in the industry in handling this balancing act. Their users continue to live problem free despite continual reports that the sky is falling.
There will come the day when the first true virus hits and it will be all over the internet and TV news programs. Even the morning talk shows will be talking about it. But my guess is, even then, that it won't be that bad. A relatively small number of people will be affected, the security hole will be patched, and life will continue as usual.
In the meantime, sensationalist opinion pieces on Apple's lack of security will continue to drive click-counts.
To go back to your analogy, the Apple community may have been like a small town in the late 90's and early 2000's, but now it's becoming more like a medium-sized city with approximately 20% of the U.S. computing installed base (forget about market share, that metric is useless). It's getting to the point where we should all lock our doors, leave some lights on when we're not home, and get some burglar alarms.
To continue the analogy further...
Sure, it's a small town that has grown into a mid sized city; a mid-sized city that has never had a single solitary burglary ever in its recorded history.
So no, I don't think that people should be putting any thought whatsoever into installing alarm systems. Sure, the police department should be training and preparing for possabilities or perhaps eventualities. But that doesn't mean that the populace should be up in arms. After all, they've never been burglarized. They should be spending more time worrying about fire safety (data backups) than burglary (malicious software).
So in my opinion, Apple has their priorities relatively straight. You're right to call attention to the subject, but as of yet the situation isn't that bad. Nobody has yet to be burglarized.
On the other hand, thousands if not millions of Mac users lose files every year from accidental deletion or failed hard drives. Thus, the best course of action to protect users would be to concentrate on backups rather than security. Apple has done this. Time machine has saved more data than will likely be lost when the first virus finally does materialize.
...
When I accuse Apple of using security through obscurity, I'm referring to their culture of secrecy:
...
That's a total misrepresentation of "security through obscurity." "Security through obscurity" is not an Apple claim; it is a Microsoft excuse. At the Turn of the Millennium, Microsoft asserted that Windows had so many viruses because its marketshare was so large. It offered neither proof nor evidence of any kind to support its assertion. The easily convinced turned the Microsoft assertion around to dismiss the Mac's lack of viruses as a artifact of its small marketshare. With the cooperation of a compliant press and a acquiescent public, Microsoft had managed to change its serious flaws into virtues and Apple's virtues into a flaw.
Your attempt to redefine the phrase as having to do with the secrecy of the software as opposed to its popular is even worse than what Microsoft did. Windows APIs are private. MacOS X's APIs are much more open. Your logic applied to the facts implies that Windows security is even worse than you are willing to admit.
So in my opinion, Apple has their priorities relatively straight. You're right to call attention to the subject, but as of yet the situation isn't that bad. Nobody has yet to be burglarized.
Of course this is not the end of the world, and just disabling Java is sufficient until Apple releases a fix for that. But the vulnerability has been left a really long time and the question is how many Mac users are aware and know what to do or not do.
Of course this is not the end of the world, and just disabling Java is sufficient until Apple releases a fix for that. But the vulnerability has been left a really long time and the question is how many Mac users are aware and know what to do or not do.
True, almost nobody has given it any thought.
On the other hand, I'd be more inclined to unplug all the DC power bricks in my home when they're not in use. After all, they cause numerous house fires every year. But really, I'm willing to live with that risk as well. So I'm not likely to worry about either of those two risks.
Point being, the register article seems to have blown things out of proportion. Sure, this is a specific security hole that Apple needs to patch. Rich Mogull, the "security expert" being cited in the Register's article, is advocating a restructuring of Apple's employee hierarchy and development process in order to better address security.
I'm not sure this is the right thing to do though. It is overly fixated on the fear of someone else doing harm to your data. What users really need to plan for is their own stupidity or hardware failure. Far, far more data is lost to accidental deletion, irreversible edits, power spikes, and failed hard drives. Hell, even house fires claim more Mac user data than does malicious software. So if Apple were to restructure to address the safety of their customer data, is security really the wisest thing to be obsessed about?
Believe it or not, I partially blame 9/11 for this lack of perspective. People are so worked up about external threats that they fail to keep their own affairs in order.
In isolation, the desire to better address security is quite reasonable. But a restructuring of the company and development process shouldn't be focused on one issue in isolation. There are plenty of things to keep Apple management occupied.
Another example is increased user competence. It would save more data would a more secure OS X. Perhaps a Chief Education Officer needs to be appointed.
So while the suggestions may be valid for some companies, I don't feel that Apple needs to restructure in the manner prescribed by Rich Mogull. I simply don't buy that Apple is "struggling" in this area any more so than they are struggling to prevent accidental deletion or any of the other dangers to user data.
Incidentally, here is the article that the register article was citing:
Five Ways Apple Can Improve Mac and iPhone Security
That's a total misrepresentation of "security through obscurity." "Security through obscurity" is not an Apple claim; it is a Microsoft excuse. At the Turn of the Millennium, Microsoft asserted that Windows had so many viruses because its marketshare was so large. It offered neither proof nor evidence of any kind to support its assertion. The easily convinced turned the Microsoft assertion around to dismiss the Mac's lack of viruses as a artifact of its small marketshare. With the cooperation of a compliant press and a acquiescent public, Microsoft had managed to change its serious flaws into virtues and Apple's virtues into a flaw.
Your attempt to redefine the phrase as having to do with the secrecy of the software as opposed to its popular is even worse than what Microsoft did. Windows APIs are private. MacOS X's APIs are much more open. Your logic applied to the facts implies that Windows security is even worse than you are willing to admit.
What evidence do you have that Windows APIs are public and OS X's are open? Since both operating systems are closed source, there's no way to verify this claim. It's entirely possible that since the anti-trust days, Microsoft has now published its APIs, and it's possible that Apple hides a lot of them that nobody knows about. Until the source code of both OS's is opened, there will be no way to verify your claims.
As for Microsoft, well, security was an afterthought for them until they woke up and smelled the coffee in the earlier part of this decade. Backwards compatibility requirements forced Microsoft to maintain many of their old constructs, such as allowing administrator accounts by default, DLL's, the Registry, etc. Efforts such as UAC were meant to compensate for those deficiencies. I haven't heard of any serious security vulnerabilities specific to Vista, though I could be wrong. The high-profile problems with that OS were more in terms of usability and performance.
That's a total misrepresentation of "security through obscurity." "Security through obscurity" is not an Apple claim; it is a Microsoft excuse. At the Turn of the Millennium, Microsoft asserted that Windows had so many viruses because its marketshare was so large. It offered neither proof nor evidence of any kind to support its assertion. The easily convinced turned the Microsoft assertion around to dismiss the Mac's lack of viruses as a artifact of its small marketshare. With the cooperation of a compliant press and a acquiescent public, Microsoft had managed to change its serious flaws into virtues and Apple's virtues into a flaw.
Your attempt to redefine the phrase as having to do with the secrecy of the software as opposed to its popular is even worse than what Microsoft did. Windows APIs are private. MacOS X's APIs are much more open. Your logic applied to the facts implies that Windows security is even worse than you are willing to admit.
Microsoft Windows is a bigger market. Simple economics determine that it will be more readily targeted as the market is larger and the rewards greater. Malware is an economic crime. It is not about "deleting files" and hasn't been for a very long time. Malware these days keeps a low profile and either gathers info or steals bandwidth to send spam/carry out DDoS attacks.
Microsoft didn't invent "security through obscurity" either, the term has been used in computing since the 1960s and usually refers these days to Unix like systems.
My own work has predominantly been on securing Unix systems which have as little malware as OSX but are still targeted every day by criminals. We have also detected intrusions onto OS X and System 9 boxes. Big companies attract a lot of attempts and need layered security systems and close monitoring to minimise losses.
Security is about protecting your assets not your pride or MP3 collection.
Secunia 2007 Vulnerability Totals:
XP=34
Vista=20
Mac OS X=243,
Highly Critical Security Flaws 2007, Secunia
XP=19
Vista=12
OS X=234
The no malware argument doesn't mean no exploits take place http://blogs.zdnet.com/security/?p=2748 for example.
Windows APIs are public knowledge. Even the undisclosed ones were forcibly disclosed by the DoJ.
Nobody has done this to Apple and I expect it has hidden APIs. Not all of them of course or programming would be difficult.
In short Apple isn't perfect. Microsoft isn't evil (in fact Vista has a better security model than any other desktop OS at the moment). Posted from a Linux laptop.