[ISN] Apple: Taking OS X security seriously -- finally

From: InfoSec News (isnat_private)
Date: Wed Jul 03 2002 - 04:36:34 PDT

  • Next message: InfoSec News: "[ISN] New Microsoft security plan shouldn't shut out competitors, European antitrust official says"

    Stephan Somogyi,
    Contributing Columnist,
    Wednesday, July 3, 2002  
    During the days of Mac OS 9, Apple didn't need to pay much attention
    to security. Attacks on Mac OS boxes were extremely rare, successful
    ones well-nigh unheard-of. But Mac OS 9's excellent security record
    does not automatically transfer to OS X just because both OSes
    originate in Cupertino.
    Thanks to Mac OS X's Unix plumbing, any vulnerabilities in Unix
    software instantly become vulnerabilities in OS X. Unix vendors as a
    rule have always been quick to issue both security alerts and fixes
    for discovered holes. Which means that Apple now has a pretty high
    standard to live up to.
    If you're a Windows user, you've grown accustomed to the never-ending
    stream of vulnerability announcements, interminable waits for fixes,
    and, most recently, unilateral changes of your end-user licensing
    agreement that grant Redmond remote admin privileges on your system.  
    Trustworthy computing, indeed.
    But this is a new ballgame for Apple. And its initial responses to
    security flaws in OS X weren't anything to crow about. Apple would
    keep completely quiet until it had a fix ready. When those fixes were
    finally released, it was usually long after other Unix vendors had
    delivered theirs.
    I'M PLEASED TO REPORT that Apple appears to be changing its approach
    to security announcements, that it's taking the crescendoing din of
    security-related criticism to heart.
    Last week, for example, a high-profile vulnerability in OpenSSH--a
    system for securely transferring data to and from a remote
    machine--was announced; Apple released a security update for OS X two
    days after the fix became available. That two-day response time was a
    welcome surprise; I hope it sets a precedent. While most other
    commercial Unix vendors have been quicker than Apple in the past, of
    the big names only Red Hat was a day faster than Apple in this
    specific case.
    More recently, Apple announced this past Monday morning that OS X
    wasn't susceptible to a recently discovered widespread domain name
    resolver (DNR) vulnerability.
    THIS IS NOT TO SAY Apple has become perfect. Its OpenSSH update also
    included two other, less timely security fixes. One was for an Apache
    vulnerability whose fix was available from other vendors on June 18--a
    10-day lag from Apple. The second fix was for the mod_ssl Apache
    module, which allows Apache to provide secure Web connections.  
    Unfortunately, this latter fix was already obsolete when Apple
    released it; a new vulnerability had been discovered in the interim,
    another update issued by mod_ssl's developers.
    Apple needs to not only stake out, but also maintain an unshakable
    hold on the moral high ground when it comes to its security policies.  
    This is critical not only for the growing number of Mac OS X users,
    especially if Apple wants to entice existing Windows users. It's
    especially important if Apple wants to succeed with Xserve in the
    server market.
    Proof that Apple understands this last facet of OS security came over
    the security-announce list on Monday. Apple announced it was hiring
    SAIC's Common Criteria Testing Lab to give Mac OS X and Mac OS X
    Server a going-over.
    SAIC will test OS X and its Server sibling to something called the
    Common Criteria Evaluation Assurance Level 3. If OS X passes, this
    testing will verify that Apple has followed secure practices during
    development and has actively looked for potential vulnerabilities. OS
    X will then be tested against a set of standardized criteria to make
    sure nothing obvious was overlooked.
    IT SEEMS UNLIKELY that Apple would submit its OSes to such scrutiny if
    it weren't confident that OS X will pass. But the announcement was
    also a bit cagey: Apple didn't say which version of OS X will be
    scrutinized--I assume it will be Jaguar rather than 10.1.
    While such certification might at first glance smack of marketing and
    buzzword compliance, the Common Criteria are not without substance.  
    Given their status as an ISO standard, certification is a requirement
    for government purchase in many countries.
    The debate about the relative security of open source was recently
    revived. While the jury is still out on whether closed or open source
    yields more secure software, it's clear that open source produces
    faster analysis of vulnerabilities and speedier fixes. While Apple's
    speedy turnaround with the OpenSSH fix and the DNR announcement are
    laudable indeed, two data points do not a trend plot. Apple's ongoing
    behavior in this realm is the key to building and then maintaining
    confidence among Mac OS X users, recommenders, and buyers.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Wed Jul 03 2002 - 07:36:38 PDT