[ISN] Apple Makes Its Case for Security

From: InfoSec News (isn@private)
Date: Mon Jun 14 2004 - 22:52:50 PDT

  • Next message: InfoSec News: "[ISN] OPM outlines four steps for IT security training"

    By Leander Kahney
    June 14, 2004
    Apple is a famously secretive company. Its hush-hush culture makes it
    impossible for employees to talk about their work, even with spouses
    or family members.
    This may help keep new products a surprise, but it has a downside: In
    the past few weeks widely publicized security holes in OS X were
    discussed everywhere and by everyone, except Apple.
    For several weeks, many users felt they were being kept in the dark.  
    And when Apple finally issued a fix -- two actually, a couple of weeks
    apart -- users complained they had no idea of what was being fixed or
    how. Descriptions of the updates were scant, bordering on meaningless.
    But security is very important to Apple. It's one of the key perceived
    differences between OS X and Windows, which is constantly battling
    viruses, worms and spyware.
    So this week Apple executives worked overtime talking to the press.  
    The message is that Apple takes security very, very seriously, and the
    company has learned an important lesson in communicating about
    security issues with its customers.
    Ken Bereskin, Apple's director of Mac OS X product marketing, said
    that Apple was stung by recent criticism that the company didn't
    communicate in detail about security updates. He admitted descriptions
    of patches downloaded automatically in OS X's Software Update
    mechanism tended to be simplistic.
    "We think it was very, very valid feedback that we received from
    customers," Bereskin said. "We've had a wealth of information, but
    people haven't known it existed." Detailed information is available at
    the company's security website, and even some security companies
    aren't aware of it, Bereskin said.
    Starting with the latest security update, Apple now includes a link to
    its security website, Bereskin said.
    "We've actually acted on that feedback," he said. "I think that is an
    example that very much we want to refine our process."
    Bereskin added, "In general, we feel we've been approaching security
    in a really smart way. Nothing can be perfect. I think everybody
    acknowledges that, but we're trying to make it as safe and trustworthy
    for our customers as possible."
    According to Bereskin, Apple has issued 44 security updates since Mac
    OS X was introduced in March 2001, and 3 percent of those were
    classified critical -- a vulnerability that can be exploited remotely.  
    The Help Viewer and Disk vulnerabilities are examples. By comparison,
    Microsoft issued 78 security updates in the same period, and 65
    percent were critical, Bereskin noted.
    "Certainly no single operating system can be completely secure from
    all threats, but most people we talk to, most of the security experts
    we work with closely, agree that because Mac OS X has a Unix BSD core,
    it lands up being more secure than other platforms, certainly more
    than Microsoft," Bereskin said.
    BSD Unix -- Berkeley Software Distribution -- is a version of Unix
    developed in the 1970s. Designed from the outset as a network
    operating system, it has widely tested, refined and patched over 30
    Peter Kastner, chief research officer at Aberdeen Group, said the
    storm in the Mac community about OS X security was overblown. "I think
    there have been huge overreactions," he said. "Every complex piece of
    software has vulnerabilities, that's a fact of life  but OS X is
    good, strong Unix."
    Kastner said the criticism that Apple issued two separate fixes for
    related holes - the Help Viewer and Disk vulnerabilities -- is
    unwarranted. He guessed that Apple may have fixed the easiest problem
    first and patched the more complex issue later.
    "As an ex-programmer I have a lot of sympathy for the Apple
    programmers who are being asked 'When is it going to be done?' OS X is
    a hugely complicated thing. You don't want to put new bugs in the
    Ray Wagner, a research director with market research group Gartner,
    also thought the fuss was overblown.
    "I think Apple's customer communication around vulnerability patching
    and their automatic update service is quite reasonable, useful, and
    convenient for the end user," he said. "Most of the concerns have been
    around communication with developers and security practitioners,
    rather than end users."
    Ngozi Pole is systems administrator for Sen. Edward Kennedy
    (D-Massachusetts), whose office runs the only Mac operation on Capitol
    Hill. Pole administers about 60 Macs and a couple of PCs.
    "(The Senate) got hit pretty hard by a worm recently," he said. "When
    that happened they had to shut a lot of computers down to isolate the
    problem. Kennedy's office was functioning normally during that time.
    OS X is just not as vulnerable as Windows."
    Pole said Kennedy's office is moving to a new, centralized OS X file
    server, and he is impressed with all the Unix security tools he will
    be able to use.
    "We're taking advantage of all the Unix stuff," he said. "We're very
    impressed with the Unix tools that can run from command line."
    ISN mailing list
    Sponsored by: OSVDB.org - For 15 cents a day, you could help feed an InfoSec junkie!
    (Broke? Spend 15 minutes a day on the project!)

    This archive was generated by hypermail 2b30 : Tue Jun 15 2004 - 00:37:42 PDT