Hunting the Doozies
Brent Simmons, the owner of Ranchero Software, said that he once uncovered a bug that "turned out to be a security risk." He reported it to Apple first and was later even credited when the company released an update that fixed the bug. Security companies say that this is their procedure."This is much different from the MOAB process," he said. "We give notice to the vendor and give them a responsible amount of time before going public." Doyle noted that they will go public with a security issue if a vendor is unresponsive. "However," he said, "this has not been the case with Apple." "From our perspective," he said, "theyre missing an important step." Dave Marcus, security research and communications manager for McAfee Avert Labs, concurred. The timing of releasing information on a security vulnerability is "an area of contention for most security companies," he said. But, he added, "While all security vendors think patching vulnerabilities is a good idea, disclosing them in this manner puts users at risk, and thats never a good process." Still, Mueller said, the bug tracking is a vital service. "The QuickTime bug in my eyes is a doozy," he said. "I took the work they did to expose the bug, and then made my own version of it where if you visited a particular Web page in Safari, it would download an application and run it automatically," Mueller said. He has posted a sample of this on his blog. To read about the strange twists and turns in the search for security flaws in Apple Wi-Fi drivers, click here. "Thats real bad. Granted, there have to be a number of things that are just right for it to happen, but the Intel iMac sitting on my desk fit the mold perfectly, and I got to see it happen first hand." McAfees Marcus said he agreed on the severity of the flaw. "So far, the bugs are not show-stoppers, but thats not to make them trivial. Anything that results in code execution or privilege escalation should be taken seriously, but so far nothing is a show-stopper," he said. That security flaws exist in Apple products shouldnt be surprising, said iDefenses Doyle. "Theres no such thing as a perfectly secure software product of any type," he said. "If it were like the old Windows case of a new and major vulnerability each day for a month, then people might have a different perception of OS X," said Mueller, "but thats not whats happening here." A spokesperson for Apple said that "Apple takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users. We always welcome feedback on how to improve security on the Mac." Check out eWEEK.coms for the latest news, reviews and analysis on Apple in the enterprise.
"The computer security industry came up with the term responsible disclosure," said Fred Doyle, the director of iDefense Labs, to denote the process of reporting bugs to software manufacturers.