Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Apple
    • Apple
    • Cybersecurity

    Apple Gets Security Lecture from Microsoft

    By
    Ryan Naraine
    -
    March 22, 2006
    Share
    Facebook
    Twitter
    Linkedin

      Apple is getting a lecture on its security response process from the unlikeliest of places.

      In a classic flipping of the script, a Microsoft program manager who regularly serves as the public face of the software makers security response process rapped Apple for the way it handles security guidance to customers.

      In a series of entries on his personal blog at Stepto.com, Microsoft program manager Stephen Toulouse called on the Cupertino, Calif.-based Apple to hire a security czar and revamp the way information is released when Mac OS X updates are shipped.

      “Look, the only way you can tackle security issues is by getting out ahead of them and clearly communicating to your users the threat, and the clear guidance on how to be safe,” Toulouse declared in a reaction to what he described as the “recent trials and tribulations of Apple in the security space.”

      “Heres the reality, for the next couple of years the Mac OS will experience increasing security threats and mark my words, the company will have to seek outside expertise in the form of a head of security communications in the next 12 months,” Toulouse added.

      /zimages/2/84833.gifZiff Davis Media eSeminars invites you to discover new high-availability and disaster recovery solutions from XOSoft that will help keep your business on its feet when disaster strikes. Join us live on March 29 at 2 p.m. ET.

      He said Apple needs a person “steeped in security issues, true technical analysis, and can lead a good security team to get good guidance out there.”

      Toulouses statements, which were posted on his own blog and reflected only his personal opinions, echoes a growing sentiment—in and outside Redmond—that Microsoft is now the standard by which other vendors are judged when it comes to dealing to security crises.

      In the aftermath of the Blaster and Slammer worm attacks, Microsoft has made significant changes to the way it fesses up to security vulnerabilities and communicates with hackers in the private research community.

      Toulouse said the company certainly learned from its own problems. “A lot of the attacks Apple is experiencing today are just like the most prevalent threats on Windows: Attacks that require the user to take an action first. Weve learned the lesson of getting out there fast and providing clear prescriptive guidance,” he added.

      /zimages/2/28571.gifNew Safari flaw, worms turn spotlight on Apple security. Click here to read more.

      In response to an Apple spokesman who was quoted in a BusinessWeek article as saying the company does not need a security figurehead because the entire Apple staff cares about security, Toulouse said: “Thats a little like saying the White House shouldnt have a Department of Homeland Security because, DUH, everyone in the government cares about security!”

      A separate entry on Toulouses blog also takes issue with statements from Apple that the content in its security advisories are similar to those released by Microsoft.

      Next Page: Toulouse picks apart Apple security advisories.

      Toulouse Picks Apart Apple


      Security Advisories”>

      “[I] went to their most recent security update documentation. I note no mitigating factors in Apples security communication for customers to assess their risk. I note no frequently asked questions in Apples security communication to cover what an attacker could and could not do or any other information customers might ask about. I note no workarounds in Apples security communication for people who cannot immediately deploy the update,” Toulouse declared.

      “I note no deployment information for enterprises in Apples security communication. I note no severity rating for any of the issues again so customers can assess their risk since updating can be disruptive sometimes. I note no file manifests in Apples security information for customers to check to make sure updates are applied properly if they wish. I note no caveats in Apples security communication in case changes made in the update cause known application compatibility issues or support issues are discovered,” he added.

      “I note no free support number for trouble with updates in Apples security information in case customers need help applying the update,” Toulouse countered.

      /zimages/2/28571.gifClick here to read about how Apple plugged a Mac OS X worm hole.

      He stressed that Microsofts prepatch security alerts and subsequent security bulletins contain all that information because thats what customers demand.

      When Apple was forced to re-release a security patch because of problems caused by the original update, Toulouse posted a third blog entry with another call for Apple to implement better internal security coordination and highlighted several weaknesses in the way Apple announced the patched patch.

      “In the original advisory, they note that a new version is available, so thats good. But, theres no RSS feed around it. You can get an RSS feed for ALL support articles, but not just for the ones that apply to security updates. Apple does have a security announce mailing list. But it doesnt seem to cover when there are new versions available when a bug is introduced by the update,” he noted.

      “One might argue that you dont need those things if you are using the built-in auto-update functionality of OS X, but I would argue back that the fact there was an update to the update might mean people turn that off to test updates before deployment because of problems like this. Oh well,” Toulouse declared.

      /zimages/2/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

      Ryan Naraine

      MOST POPULAR ARTICLES

      Big Data and Analytics

      Alteryx’s Suresh Vittal on the Democratization of...

      James Maguire - May 31, 2022 0
      I spoke with Suresh Vittal, Chief Product Officer at Alteryx, about the industry mega-shift toward making data analytics tools accessible to a company’s complete...
      Read more
      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×