toggle

AAPL Stock: 571.33 ( + 0.77 )

Apple "needs better communication" on security front

updated 08:00 am EDT, Thu June 3, 2004

Apple security issues


Apple "needs to " on security issues, after it failed to respond to a security vulnerability reported by one user, down-played the seriousness of another, and issued an incomplete patch for the multiple URI exploits noted earlier this month: "Although the tech industry has guidelines that call for researchers to notify vendors of threats and then wait at least 30 days before going public, Schiller said Apple uses its own process to decide when to issue a patch, a process that takes into account Apple's assessment of the threat posed by the vulnerability....[Also] critics have called on Apple to offer more detailed information on its Web site..." [updated]


by MacNN Staff

print
email
(9)

TAGS :

 Apple

Related Articles

Recent Articles

toggle

Comments

  1. LouZer

    Fresh-Faced Recruit

    Joined: Nov 2000

    0
    06/03, 08:43am | report spam | Reply |

    Umm

    They have a dedicated address to send bugs. They have one specifically for security issues, as opposed to the one or two for bug reports (which I believe are web forms, not email addresses, like that's a big deal - although for these people, who knows, maybe they think sending email is better, although at least with a web form you have instant confirmation your complaint has been entered).

    And I really would appreciate a fix for this whole URI exploit that could allow someone to run pretty much anything on your computer.

  1. Roehlstation

    Fresh-Faced Recruit

    Joined: Aug 2001

    0
    06/03, 08:44am | report spam | Reply |

    No Kidding....

    They need to communicate security holes as well as Microsoft does....

    Wait... a second... Oh nevermind.

  1. SDW2001

    Forum Regular

    Joined: Jul 2001

    0
    06/03, 10:37am | report spam | Reply |

    CNet Does it Again

    CNet is shameless. Apple cannot be discusses as if it operates in a vaccuum. It must be compared to other companies, particular Microsoft. Apple's security problems are exceptionally minor when compared to gaping hole that is MS WIn XP. I don't know why I am surprised.

  1. Manuel

    Fresh-Faced Recruit

    Joined: Feb 2000

    0
    06/03, 12:07pm | report spam | Reply |

    So, I guess...

    someone would have to send you a file that, when clicked, would take you to a web site and it would automatically download something innocuous without your permission or by surprise. All the compromised test that I tried were enacted buy me. I think it would be my own fault if I log on to a buggy site or let a unknown file open Safari for me. I think I'm reasonably quick to stop the browser from loading. It's not like Windows and load straight into your computer when you open a e-mail. So am I reading this right?

  1. shawnce

    Fresh-Faced Recruit

    Joined: Nov 2000

    0
    06/03, 12:35pm | report spam | Reply |

    Well...

    Several of the recent Window exploits have been remote exploits that can take place without any user interaction (other then turing it on with it connected to a network). All it take is someone with an infected system to probe your system (usually by guess at its IP address, scanning ranges of IP) and exploit the security hole remotely. Then you are infected and the cycle goes on. In many cases the Windows worms that do this also open up new exploits that folks can use to make your system do their bidding. Often to send spam emails without you knowing, at least more and more so recently.

    In the case of Mac OS X a few remote exploits have been found (some in Apple code some in open source code Apple includes) but most if not all have been in components that are turned off in a default install (apache web server, ssh, etc.). When Apple learns of these they have quickly addressed them and provided secure patches (as Microsoft does these days as well).

    However in the case of Mac OS X I don't believe any worms took advantage of the exploits while they remained unpatched while in the Windows world when a remote exploit patch is release nefarious folks quickly reverse engineer the patch and write worms for it knowing that most folks don't quickly patch their systems. They basically try to get their foot in the door before it is shut. The target market is simply much much large on the Windows side so they focus on it.

    Now the recent issues reported against Mac OS X require user interaction such as downloading a file or navigating to a website with nefarious links in frames that download a file and redirects/refreshes to attempt to utilize the files that got downloaded. This is bad but not as bad as the remote exploits talked about above since it requires some user involvement. Also said website would likely quickly get identified and those involved more easily tracked down then in a case of a worm.

    Basically the recent Mac OS X exploits (note no one has actually reported being a victim of or is any real trojan known to attack) are fancy social engineering style exploits. Trying to trick folks into doing something that they shouldn't do basically.

    Apple should help users from doing the wrong things but they have to balance that against easy of use and functionality that we all like. I fully expect Apple to implement a reasonable solution to the potential URI exploit.

  1. testudo

    Fresh-Faced Recruit

    Joined: Aug 2001

    0
    06/03, 12:40pm | report spam | Reply |

    Re: so I guess

    No, I don't think you're reading this right. Most of MS's security warnings are for 'mal-formed links' or the like, but it doesn't stop people harping on them about security, even if it takes a user to click a link to get it to crash.

    For the latest URI exploits, all you need is to click the wrong link. It can do many things, from running scripts to downloading and running programs. You might be able to catch that something is downloading, but then again, maybe not. And some of the exploits don't need downloaded diskimages.

    Also, keep in mind OS X has internet-only disk images. These don't download in the normal sense, since they're never on your computer. But they load regardless.

    And most of this is doable even if you turn off 'open safe files'.

    But I guess if you're the type of person who just visits large, well-known web sites, and never goes 'off road', so to speak, then you're probably safe. But all you need is to click on that link on MacNN about someone who's posted pictures of how he planted his iBook into his dashboard of his car, or just peer at the pictures on AppleInsider of the roof of the building where an apple store is going to be. Click a link to go to the next picture, and as its displaying, look, there goes your home directory. Or, even worse, look, someone is copying all your data to some IRC chat room...

  1. klinux

    Senior User

    Joined: Jul 2002

    0
    06/03, 04:40pm | report spam | Reply |

    shameless my a**

    Apple does not need to be compared to another company i.e. "well, at least we arenot Microsoft" as if that justifies the existence of this exploit.

  1. Maclectic

    Fresh-Faced Recruit

    Joined: Sep 2002

    0
    06/03, 05:01pm | report spam | Reply |

    News.com being fair...

    This is the fairest article to come out of News.com in awhile about the Mac or Mac OS X. It is hard to disagree with most of the article.

    The problem with News.com is its frequent history of misinformation and Mac bashing. We just don't expect them to be fair, so the immediate reaction is to assume they are not.

    Hopefully they keep it up, but I'll still be wary.

    Apple could be doing a better job with security. Microsoft also. The article points out early on that Apple has done a pretty good job and most of Microsofts efforts are superior primarily based on afterthought. MS has more money to address the issues after the fact, but their prep work for security has generally been bad.


    - Maclectic

  1. the Rebel

    Fresh-Faced Recruit

    Joined: Jul 2000

    0
    06/03, 08:20pm | report spam | Reply |

    Microsoft vs Apple

    The Sasser took advantage of a Windows security flaw that Microsoft knew about for over 6 months before they released a patch. The Sasser worm infected millions of computers and caused billions of dollars worth of damage.

    Although OS X is currently facing its most serious security issue in its 4 years of existance, no one has ever reported encountering ANY exploits of OS X security in the wild. All OS X security issues put together have not caused even one thousandth of one percent of the damage that the Sasser worm alone caused.

    Microsoft's Windows security problems are more plentiful and more damaging than Mac OS X security problems. Microsoft typically takes longer to respond to potential security issues than Apple does. It is much easier to keep OS X up to date than Windows XP.

    Apple's handling of security issues may not be perfect, but they have by far the best record in the PC industry. It is okay to offer constructive criticism to help Apple improve, but it is stupid to try to spin it as if Apple has a major serious problem.

Login Here

Not a member of the MacNN forums? Register now for free.

 
close
Photo
toggle

Network Headlines

toggle

Most Popular

MacNN Sponsor

Recent Reviews

iHome iW2 AirPlay speaker

iHome generally isn't known as a luxury brand when it comes to audio, but it is prolific -- the company's docks and speakers are every ...

Logitech Ultrathin Keyboard Cover

One of the iPad's main weaknesses has always been productivity. It's not a question of apps; while it has taken a little time for a na ...

Logitech UE Air Speaker

If maybe a little more slowly than Apple would like, AirPlay is becoming a staple of the wireless speaker market for iOS devices. The ...

toggle

Most Commented

 

Popular News