Toulouse Picks Apart Apple

By Ryan Naraine  |  Posted 2006-03-22 Print this article Print

Security Advisories"> "[I] went to their most recent security update documentation. I note no mitigating factors in Apples security communication for customers to assess their risk. I note no frequently asked questions in Apples security communication to cover what an attacker could and could not do or any other information customers might ask about. I note no workarounds in Apples security communication for people who cannot immediately deploy the update," Toulouse declared.

"I note no deployment information for enterprises in Apples security communication. I note no severity rating for any of the issues again so customers can assess their risk since updating can be disruptive sometimes. I note no file manifests in Apples security information for customers to check to make sure updates are applied properly if they wish. I note no caveats in Apples security communication in case changes made in the update cause known application compatibility issues or support issues are discovered," he added.

"I note no free support number for trouble with updates in Apples security information in case customers need help applying the update," Toulouse countered.

Click here to read about how Apple plugged a Mac OS X worm hole. He stressed that Microsofts prepatch security alerts and subsequent security bulletins contain all that information because thats what customers demand.

When Apple was forced to re-release a security patch because of problems caused by the original update, Toulouse posted a third blog entry with another call for Apple to implement better internal security coordination and highlighted several weaknesses in the way Apple announced the patched patch. "In the original advisory, they note that a new version is available, so thats good. But, theres no RSS feed around it. You can get an RSS feed for ALL support articles, but not just for the ones that apply to security updates. Apple does have a security announce mailing list. But it doesnt seem to cover when there are new versions available when a bug is introduced by the update," he noted.

"One might argue that you dont need those things if you are using the built-in auto-update functionality of OS X, but I would argue back that the fact there was an update to the update might mean people turn that off to test updates before deployment because of problems like this. Oh well," Toulouse declared. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel