http://www.wired.com/news/mac/0,2125,63805,00.html By Leander Kahney June 14, 2004 Apple is a famously secretive company. Its hush-hush culture makes it impossible for employees to talk about their work, even with spouses or family members. This may help keep new products a surprise, but it has a downside: In the past few weeks widely publicized security holes in OS X were discussed everywhere and by everyone, except Apple. For several weeks, many users felt they were being kept in the dark. And when Apple finally issued a fix -- two actually, a couple of weeks apart -- users complained they had no idea of what was being fixed or how. Descriptions of the updates were scant, bordering on meaningless. But security is very important to Apple. It's one of the key perceived differences between OS X and Windows, which is constantly battling viruses, worms and spyware. So this week Apple executives worked overtime talking to the press. The message is that Apple takes security very, very seriously, and the company has learned an important lesson in communicating about security issues with its customers. Ken Bereskin, Apple's director of Mac OS X product marketing, said that Apple was stung by recent criticism that the company didn't communicate in detail about security updates. He admitted descriptions of patches downloaded automatically in OS X's Software Update mechanism tended to be simplistic. "We think it was very, very valid feedback that we received from customers," Bereskin said. "We've had a wealth of information, but people haven't known it existed." Detailed information is available at the company's security website, and even some security companies aren't aware of it, Bereskin said. Starting with the latest security update, Apple now includes a link to its security website, Bereskin said. "We've actually acted on that feedback," he said. "I think that is an example that very much we want to refine our process." Bereskin added, "In general, we feel we've been approaching security in a really smart way. Nothing can be perfect. I think everybody acknowledges that, but we're trying to make it as safe and trustworthy for our customers as possible." According to Bereskin, Apple has issued 44 security updates since Mac OS X was introduced in March 2001, and 3 percent of those were classified critical -- a vulnerability that can be exploited remotely. The Help Viewer and Disk vulnerabilities are examples. By comparison, Microsoft issued 78 security updates in the same period, and 65 percent were critical, Bereskin noted. "Certainly no single operating system can be completely secure from all threats, but most people we talk to, most of the security experts we work with closely, agree that because Mac OS X has a Unix BSD core, it lands up being more secure than other platforms, certainly more than Microsoft," Bereskin said. BSD Unix -- Berkeley Software Distribution -- is a version of Unix developed in the 1970s. Designed from the outset as a network operating system, it has widely tested, refined and patched over 30 years. Peter Kastner, chief research officer at Aberdeen Group, said the storm in the Mac community about OS X security was overblown. "I think there have been huge overreactions," he said. "Every complex piece of software has vulnerabilities, that's a fact of life … but OS X is good, strong Unix." Kastner said the criticism that Apple issued two separate fixes for related holes -– the Help Viewer and Disk vulnerabilities -- is unwarranted. He guessed that Apple may have fixed the easiest problem first and patched the more complex issue later. "As an ex-programmer I have a lot of sympathy for the Apple programmers who are being asked 'When is it going to be done?' OS X is a hugely complicated thing. You don't want to put new bugs in the system." Ray Wagner, a research director with market research group Gartner, also thought the fuss was overblown. "I think Apple's customer communication around vulnerability patching and their automatic update service is quite reasonable, useful, and convenient for the end user," he said. "Most of the concerns have been around communication with developers and security practitioners, rather than end users." Ngozi Pole is systems administrator for Sen. Edward Kennedy (D-Massachusetts), whose office runs the only Mac operation on Capitol Hill. Pole administers about 60 Macs and a couple of PCs. "(The Senate) got hit pretty hard by a worm recently," he said. "When that happened they had to shut a lot of computers down to isolate the problem. Kennedy's office was functioning normally during that time.… OS X is just not as vulnerable as Windows." Pole said Kennedy's office is moving to a new, centralized OS X file server, and he is impressed with all the Unix security tools he will be able to use. "We're taking advantage of all the Unix stuff," he said. "We're very impressed with the Unix tools that can run from command line." _________________________________________ ISN mailing list Sponsored by: OSVDB.org - For 15 cents a day, you could help feed an InfoSec junkie! (Broke? Spend 15 minutes a day on the project!)
This archive was generated by hypermail 2b30 : Tue Jun 15 2004 - 00:37:42 PDT