Network Security & Hardware - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Can Apple Overcome Latest Security Backlash?



 By: Ryan Naraine
2007-01-04
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


  Table of Contents:
  1. Can Apple Overcome Latest Security Backlash?
  2. ' Is Apple Confusing Reality '

Rate This Article:
Poor Best
Can Apple Overcome Latest Security Backlash?
( Page 1 of 2 )

News Analysis: The Month of Apple Bugs has opened old wounds in the vulnerability disclosure debate and renewed calls for a security czar to soothe Apple's relationship with hackers.

A pair of renegade hackers has launched a project aimed at embarrassing Apple Computer into fixing software vulnerabilities in a timelier manner, prompting new calls for the Cupertino, Calif. company to hire a security czar to head off a growing crisis.

The MoAB (Month of Apple Bugs) launched on New Years day with technical details and attack code for serious holes in the way media files are played on Apples Mac OS X and the two researchers—a hacker known only as L.M.H. and Kevin Finisterre—promise to expose similar insecurities every day throughout the month of January.

The project follows L.M.H.s MoKB (Month of Kernel Bugs) project in late 2006 that also took aim at the Mac OS X and sends a clear signal that members of the hacking community are aggressively looking to debunk the general feeling that Apples flagship operating system is immune to virus and worm attacks.

The latest anti-Apple sentiment is driven mostly by what is perceived as a smug attitude towards legitimate flaws by the companys uncompromising fan base, but some security analysts believe the blame should fall entirely on Apples doorstep.

Resource Library:

"Those Mac commercials really rubbed the security guys the wrong way. It was like a dare to break into the Mac," says Thor Larholm, an independent researcher based in Denmark.

"With Apple, it always seems like the marketing message is more important than the actual building of the software and the hackers feel they have to provide a dose of reality," Larholm said in an interview with eWEEK.

Finisterre, a hacker renowned for his work on exploiting Mac OS X vulnerabilities, says Apples tardy approach to releasing fixes for known flaws is more dangerous than any exploit released during the bug-a-day project.

"A good start would be for Apple to communicate better with those folks that do the actual reporting [of vulnerabilities]," Finisterre said in response to critics of his project.

"Perhaps more timely fixes would be nice as well. Ive got one bug that has been reported to Apple for more than three months," he added, stressing that its normal to have to chase down the companys product security team to get updates on fixes. "They should be the ones following up with us on a routine basis," Finisterre argued.

Click here to read more about Month of Apple Bugs.

Indeed, a 2006 study by the Washington Post found that Apple took about 91 days on average to issue patches for flaws that could have been used in code execution attacks.

The study found that, almost without exception, open-source Linux vendors were months ahead of Apple in fixing the same vulnerabilities.

The company does not have a patch release schedule and it is very common for a security researcher to wait through two software updates to see a reported flaw get fixed.

Apples security advisories have been criticized for being too vague, lacking severity risk ratings and missing workarounds for users who must test patches before deployment.

In addition, the companys formal policy of refusing to "discuss or confirm" security issues until patches are released also rub researchers the wrong way.

Next Page: Is Apple confusing reality with marketing?





  Reader Comments: Can Apple Overcome Latest Security Backlash?
>>> Be the FIRST to comment on this article!
 


 
 
>>> More Network Security & Hardware Articles          >>> More By Ryan Naraine
 


x}ks㶲*Q3CO#Mɶ<4Lj I)RlkO/Oon|AK~Ldl @_h4?y$sW7-gDڮ9)ٝfߧGo-zIû@@eZNULrJԶnT7n[#3P/W?`W᳙(, E%U5EpHԸ#|/adwy4;U'iS[7SUȓ[vB1BEۺwCդQ@ؓ:IuhmUb'Өbb#kLN\^@Zˆ螥{ɧ5u5I  1A 4cT8ny8DrHn6, шj)1gO?-I| p\.ܪa?WuomzVu7#ϝ9yqL%X䈍YR6'`>6)L|@ɤ:أZr ˺7h4öCٰo5TתrXJqy/,t|rf2w7ּ[\)(E2Gqغsm)9x] >LEu|vN{y~Nԯy9vx/o0wND߀*QI- I|/LZ@WP> H5](E~WB-hZAArIjaԳ|3+i*H,GQD~24/zͫ˫VIz㳣V;lL,O!R42V,]?C[ˠjq}zrtqݺ8\wi犜4?]$/#t2 +?9V'ZUlxiuHz>5401\]Z-Kj=O'ޗ&Py$Y.IzkCzJ ݖEL_ȻH]K$j̱o>0@|ˤd0&p, ߱n\S'G`h_[Ѭ[c/DU1MXRƒ t$u[5Hr Ca)#p?c%Wi8@r5)6K .F7R&,|Y U >hI,A[!f0 .)J""xV3 qE KH@!]F!8N0FpJn.b? [&gчfeٜ%YWaLo\zFUt/;~j7Ƈ&8J,0B- ]evbc77Jy?6V)a**r{XQnl :2X bX2nҡ>OςI5tO|BMk6 tI< YC#ʠ:ڴ;\gVc4!D& ap{4ڭl= KPI}xXOk9mLP"AЂMz>tT9]|2Z9ܹ ([ hk=`DMWtCP{DM}PC\7 >)@}> QmVl}``1 5g%~J;r%FaA.G))(I.BD(ZHB!Al~ [$p Xhd+_􎄰R1iJLO:Tt{B#}T/΍5aGe-n^ $ d3CCd0U Q򍜈<"`&ˑea*0pRx5VnZbަ!By^I8{&\YU =j˚so9rHz:uf3xtpĄ'HwT1%]*oaBx1uNESsؽ#hƏl?}P>HQob#C[HLq}bBB61 {A3uNP"'Կ ;3u9\OT=\҃9 UQR }+rv7MAR?Ty  Bdj/h~W.Y 3EXVHdF!zC{ޡ[fR;= =Mrʳ"#]_7oX>ťHN(mt'й+>q^v.i}mOӬ{o%<4j?յ݋$/gsP*ouRaO[FޒymE_xue8Hi K-CrB`}.E6GQ4dJ 'Ϳ]ϞZC>c_/U WCX[)ZPbY;7L`beQӿR&a+\ڨ NaOcw Asm0Hww't f)نhpc׏pBa1e.FVUmg`m1LL=F˸hBqmP XbOFSTWɅk'SKwEeH w.f h>j6 G議C`VA`Ng43aJZ6 }˞CO;b^-!/&aT5<6D ȸau-Ce0t<}Oef/~^Sz5gn-%ߙ[aecFHdec7\@ +RUw/5bYGYw hO7`sc'k=F&: `LDnЬ 0Դ'sZ-V,?Al ޯј oD@u.eۏU)&Uj l|`ZsnG<֔H+  c4}52*jAe/Y_c7g)h"RkF:Fd@tΈ+6RNT8ɯA)q>:(TX7cmE{^ac7U[o&F)'/ZǗ&h6> ͳiLl[tܷ p]ozJ~QB<Z\#h zfk}#}x-%8r zĀİh{~UM+%u2YhSIpg#HٚIκVsl,On?yRL5_Ap5xb==#ݸM_-`YEn9&+㧠ksɜC/)ɹ%wB֮NZo40p2Z|r0NyT!"kq0n| #8wDA$ۭ>\tc5'y] ɧMC 7ѐJ[G#n$}!=֢,ADuP*jIIz$pE礠vd iW&{\x&\_{3Ƌbo(Q^~TW"6)wD<7ϰ;b}Nb4i q獋55;b9[FIgYy!ڤiH@kX{Pq#$eZU ՂV'ftPpz]Fߍ eRԣ{{k7}óA"wP)߭q*⃪Fr@*5]*; se0F\0R,W1<ʢ'r]N6._-Java ^`|"@-a'd8'߾l[D ?wLaV*c7x~.RH$ |J D< 2{qm^?3Z cS7O{{=LL_BP`n&ZwmOI@ NEw%]׭)hlsѓN{4Rv5 }Mj]4= C:.NVɏ-ӸoٷP KNCbw}|ɾ3zV^6NNZ+^6|v< 24H4r:mݸк_>w)Cr޺hJ^zKQ\C R?!pSf*<fSڌ6N ,#zqaL D/8 m̀@ c\48`LBX5c-I'B A0q0fR쬨O4H\/O9!- L 춻zMY fЧ ǻoc$Ǯv'ݻw~Zw[q*A-wM,d9a}4؞qnbLdOB%7÷Fp7*'cc3ψF#%kOS˱6m @|ՐphZ1q`jcZop8|#؈fχGɎ?7e{cA|3 e\1Kp/WϦ7߂C !C9h3[aGɨ0^ <"s(u߂KݤCƧˁUmYZuVղ/8뚭qx}(t'Jtpp* UṺ1ޭ?/<xH9]RH*CyO$>>;ڭ?޳ 92(Cy}~2kjQ-~-9t{+rcԐYh zJ~+˿x9~>0L fKZ=r ]Z٭? C3: &%U6.:f.RxBu@N) 蔝i [=Up'K. hڵ.CN%$r t5\W&Br<$u\wg|rdCrN Ha:vc"IP2>Q\T(ObjS"6 */LU#ϫb%E,x6DVdIJ]G"7i^ۃHK48PZPKq:ٳCZ!!3 #u@2&#ʓ&''I{I!j &ᎏHè/6D:8!a2yT&ZQJՊ}?rXM7 ~͛/yjS!`@A_~tVRc]J.y۪I aB4ovY~lK=F l.4XZ0 Y >o>/9pXYCg. *(wx")T&e̱\s TkY. D:vg)&s^[7NWU*3BUB P€qFPxdN*%18?VԸ/7sQ#P-!uԑxbүmҩ{PhKr]_€GRxRTT5SF1D%| `04 0~$"%SdGЦ)mOBq#_~ !`#Rʁ1SV  h $xAu  ε!,aBXSth0!a!׷yj)1KEθ6p?]+S#Mu;.x5>rIEUn-[`*+uOEO!6Em@)0 ?"t=K$c*R0-XK \+4%TdaK.KLᢴ&.󭾎 *a*>/|iV6%K&G0fd%]|9F'[j&RcPqbK6TR%R*~D ' > jY8?#pY6N_}_Y O {R֪էcyu[s*eΓt_<#NW:q]RA- -lL|{<[nRLN{7@wpKz5^D'iKm !$ʌ*n3V0_ >7B</GWݐͲpKd:7wȰ-LJ04|a/&hgvbOiMF$F!%%pJ7Mǜ`Ia~rRsTLaeW\#U(뛽L?W(t =Z&ե2X:%Ԓ'9*E l2W?p~ωґ`]%&YfZRT!X]4U$Vձ]b/kH |^Uu6+0n7\Cj935@5IB{qF(Kv?$v xz]vܫ, /ڸ[N}ٷ y-ci&4*xuX~=},L:$Wv $=vΘ.EvGnRJxIܲ`jWl]N/~W8e\4%ԝ\W{U/߂p8_͜ELa6 QZOkzm6YoڄC֔ͤm Z!ߤLBm_mױ6 xQتW&eƑ=:qoRjY,{Cˬewbr{,lju3=  ʬk2M$Q3 ƹ;}b",NkV,P2maDK5z"yOb>8XBO~{0 פ{ t:"k[2(PT>c5?}Mrg闶QXđG}W`/Nܓժ$-r= D?\<=Gf!zXݾnx.Wo4n[*:gȎ>wo,Z=XvHq})6Ӣ=WQ0JLr|4Ґtp'u8xz/=~"y 3,M?C"t?ވ-Y?`䷿T}dۓ1Vzsr`2VR Q?Dw  oEI?Xt'V" ~{BtU܂;@{ $߲f#b.~Y13ʑmOѕ`x OE3s䏅ib+>]3#!kX51 ۬'>d tq4,|zD?SM=1w+> 'V8E)9mӶܕĤAI҂B4얥wĨW\{n"wHȚPVW-T- D9D NE7TX+"pĻĒI ?^P4o&qn/ =L8l*b6 -'*5}L1JQ쫫9>% RkyKN ߥtc T n /ύTJ9~餷 GTG*R(Mme}ͧ58.'5̈bo=!уKOk&p]bd=u3^i<"}  -J٫c56غs;yrjy`E8a<ߧ#q}QAzA|8M/k瓔KPIV ף6:̽K$QMDF0U 2ji}ՓGV5U*5YZa~>tȕF1oqI\G:gۍy`䥒V,T˩7uϞN16 kPх%{h0e9_>PP*(7Ts,9stALr|jXo6jzQ 4wP ,9H}#nA'Z,d2sD'tl&vUZ TJ j'W[ ByFskyGX\sjO\#aeI ƋxfV-j%FG0 ,2;k43Kՠt԰tT>#u#a^ FQ{ZaZ"=,?Mt1YҶjUh9Mfikxg8ĻOcLѼNjfGQ/@@L%F H 4w#\P |P6S7OR(kUeab+;Z@kb^ Ҿ,+qܔژ* mm@+> /&=^FSx.o ^j$~p><<|6ڈyki$YcMr+ǯ\\IxC#kgqt rF@Yj$-G jlZ /uTo^7srѼ7{U=<2=N(-$=y`#o{a0 <ߩ1v?9 !'@vѻt`hL']Ag9gKc!{\nX\h:LZS4pD7Fyꢫ+ cDT.2Oa@P=SˡbX"aR1Q(Vpx ~2&IE< ,iMPs6@אla\Sp=wBpbZ!Ř!b`iĄs|%ĆRǠ{=ӺdlUoݐ%P`qT|8s =J<|ND:b)3]N"@ ' ! v767PFW0] F"O c8dzƸ+˴F'jQ} `\)u l9 :UeOLg>򽉁{:ς)s)aR;RXX_1[> MꪂOJ 2,=VRȾ<>A~guEfq H@+^@03:}KISoC1D 9\9j6IQuku.QsǑ} '\MGݪ;G/ǝ/U뢗Zhbv>H5m+LLg(P^4Mf(ND3\H% y*w"<ෝ6ঢ়616g;>@ Dg(Q~gdQ{1?sw1'? ɐ/@q /3_\eO诗A_埀>eg(U1πr 3ڿΠ = >k\픊(eK "~)PP! g z-22Bό ~/{'sg#q$^a^Zk3/Yݲq cM {}ih}0*ByeoRY=AQa. 3l?V\[[,Oнۺ{' Jݓs+z`~J\]d}+|UnE+t>w&R<#s"qDZJ5faOd_j=oND1KA1wQ' oL2f~4ĎlOAprm>v=y^x&܊xcG5ioq[~|^fJC DK(1=:cǬ*V,6of!3^ ^"_v:ic(<)R1 1@eN*u1*r6`%Q<oqg~-|LZAÆoj/XbKZ;c`\;o=V2gW<by0\9Kh `z4}z<8ҿZx9/j1N45~/#͘Pa-gvrg'lt> O!>0gTbgHIأCDOvB0@׽~rhr&\ktEEבE$&J!'.XsJD!D֣#:4!,%Ͷq cXG%)n㠃Ռ]#|Ѷ|}௚Bxz^Dl, O*_ ;Ŝz LJ @Bo)%:Tun{Xj:#K:!1Q1jkA/?nuH3۱xcc? `vwj9c˖k[aYѶz SO~n\(Co6x}Ҁ!^SL/c<9zAn0$ /1-i%^cHPVFWݜ얏 OXo| 8lO.hl}̀ XsQ%` <ݛ-Hˍ/A.Sl2qMV4@FWD0;"6Im.#sE%X,8/# kuf㿝4;>BAr$#[zD,5b;tP9͓z0 vz5gnB܍]SL&j1Bi6a1bfrY*0_kAckDeU|tG_UB3ىZqpR.)C79=CB iF 5cP.XX]-%B@w: εx CG,$?ˋ} S99.@$NSMEt1GtFW3.rm+ Sqk7.[ByڹIv$gꎾV;~v?;kt[5 a% ѨT\_7[z+;睫, lݸG:.NEyiNђtNi B"E{qrҺ|/7L~} Wha<[Wy&F{kj5U+kD;idMn+:cSEᘸe=WFs0v*bBmP? ۔́r&s.# MW\eRM9Q2;VMӝo3a-dcˤ_ ?O)