Is Apple Confusing Reality

By Ryan Naraine  |  Posted 2007-01-04 Print this article Print

with Marketing?"> Mark Loveless, a veteran hacker who now works as a senior security researcher at Vernier Networks, in Mountain View, Calif., says dealing with Apple on product flaws could be "like pulling teeth."

"They dont have a lot of people there who understand what motivates researchers. Theyre drinking the same cool-aid that their marketing people have put into those TV ads," said Loveless, who is known in security circles as "Simple Nomad."

"Say what you want about the Month of Apple Bugs, it will push Apple to change. We went through it with Microsoft a few years ago. No one thought Microsoft would change but look at them now. They set the standard for how it should be done," Loveless added.

Thomas Ptacek, a researcher at New York-based pen-testing outfit Matasano Security, agrees that Apples inability to ship timely patches is a big problem, but he is critical of L.M.H. and Finisterre for releasing exploits without giving advance notice to the vendor.

"The story should be about a vendor shipping products that put customers at risk. Instead, theyre making Apple into the victim," Ptacek said, arguing that theres no justification for stockpiling flaws and exploits for the specific purpose of releasing them as part of a bug-a-day project. "Whats the purpose of that?" he asked.

Ross Brown, CEO at eEye Digital Security, in Aliso Viejo, Calif., says his research team has found Apples engineers "very responsive" to flaw warnings. eEye has been credited with the discovery of several gaping holes in Apples QuickTime and iTunes applications and, at every stage of the disclosure process, Brown said Apples process worked very well.

"They do have a problem with the time they take to provide a fix and the fact that theres no scheduled time for patches, but I dont think its fair to blame Apple for being unresponsive," Brown said in an interview with eWEEK. When Apple—or any other vendor—is slow to patch, eEye uses a color-coded system on its upcoming advisories page to display the overdue nature of the fix.

"I like what eEye does. They document how recalcitrant a vendor is without all the month-of-bugs grandstanding," said Matasanos Ptacek.

Rich Mogull, a VP of research in Gartners Information Security and Risk practice, was equally dismissive of the MoAB approach. "This Month of stuff is getting out of hand. As messed up as the industrys disclosure approaches may be, dumping code isnt the answer. [While] there is sometimes a time and place for releasing code, this clearly isnt it," Mogull said.

He described the project as the "cyber-equivalent of a self declared vigilante smashing everyones doors down while theyre away on vacation, leaving them as burglar-bait, to prove to them how weak their lock vendor is." Apple vulnerability project launches with QuickTime exploit. Click here to read more. Mogull warned that the daily release of exploit code "is only going to make us end users less secure, and make it even harder to deal with vendors."

Despite the disagreements—L.M.H. and Finisterre are considered heroes in the hacking community—Verniers Loveless believes the fallout from the negative publicity will force Apple to heed calls for the hiring of a security czar with clout to implement the necessary changes.

"They need someone with real authority to drive decisions and that might actually force a change there. They have to change this smug, feisty approach to dealing with security. The notion that the Mac is secure is ridiculous. They need someone there to separate marketing from reality," Loveless said.

Apple did not respond to a request for an interview. In a statement sent to eWEEK when the MoAB was launched, company spokesman Anuj Nayar said Apple, "takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users."

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Ryan Naraines eWEEK Security Watch blog.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel