Close
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Can Apple Overcome Latest Security Backlash?

    Written by

    Ryan Naraine
    Published January 4, 2007
    Share
    Facebook
    Twitter
    Linkedin

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      A pair of renegade hackers has launched a project aimed at embarrassing Apple Computer into fixing software vulnerabilities in a timelier manner, prompting new calls for the Cupertino, Calif. company to hire a security czar to head off a growing crisis.

      The MoAB (Month of Apple Bugs) launched on New Years day with technical details and attack code for serious holes in the way media files are played on Apples Mac OS X and the two researchers—a hacker known only as L.M.H. and Kevin Finisterre—promise to expose similar insecurities every day throughout the month of January.

      The project follows L.M.H.s MoKB (Month of Kernel Bugs) project in late 2006 that also took aim at the Mac OS X and sends a clear signal that members of the hacking community are aggressively looking to debunk the general feeling that Apples flagship operating system is immune to virus and worm attacks.

      The latest anti-Apple sentiment is driven mostly by what is perceived as a smug attitude towards legitimate flaws by the companys uncompromising fan base, but some security analysts believe the blame should fall entirely on Apples doorstep.

      “Those Mac commercials really rubbed the security guys the wrong way. It was like a dare to break into the Mac,” says Thor Larholm, an independent researcher based in Denmark.

      “With Apple, it always seems like the marketing message is more important than the actual building of the software and the hackers feel they have to provide a dose of reality,” Larholm said in an interview with eWEEK.

      Finisterre, a hacker renowned for his work on exploiting Mac OS X vulnerabilities, says Apples tardy approach to releasing fixes for known flaws is more dangerous than any exploit released during the bug-a-day project.

      “A good start would be for Apple to communicate better with those folks that do the actual reporting [of vulnerabilities],” Finisterre said in response to critics of his project.

      “Perhaps more timely fixes would be nice as well. Ive got one bug that has been reported to Apple for more than three months,” he added, stressing that its normal to have to chase down the companys product security team to get updates on fixes. “They should be the ones following up with us on a routine basis,” Finisterre argued.

      /zimages/3/28571.gifClick here to read more about Month of Apple Bugs.

      Indeed, a 2006 study by the Washington Post found that Apple took about 91 days on average to issue patches for flaws that could have been used in code execution attacks.

      The study found that, almost without exception, open-source Linux vendors were months ahead of Apple in fixing the same vulnerabilities.

      The company does not have a patch release schedule and it is very common for a security researcher to wait through two software updates to see a reported flaw get fixed.

      Apples security advisories have been criticized for being too vague, lacking severity risk ratings and missing workarounds for users who must test patches before deployment.

      In addition, the companys formal policy of refusing to “discuss or confirm” security issues until patches are released also rub researchers the wrong way.

      Next Page: Is Apple confusing reality with marketing?

      Is Apple Confusing Reality


      with Marketing?”>

      Mark Loveless, a veteran hacker who now works as a senior security researcher at Vernier Networks, in Mountain View, Calif., says dealing with Apple on product flaws could be “like pulling teeth.”

      “They dont have a lot of people there who understand what motivates researchers. Theyre drinking the same cool-aid that their marketing people have put into those TV ads,” said Loveless, who is known in security circles as “Simple Nomad.”

      “Say what you want about the Month of Apple Bugs, it will push Apple to change. We went through it with Microsoft a few years ago. No one thought Microsoft would change but look at them now. They set the standard for how it should be done,” Loveless added.

      Thomas Ptacek, a researcher at New York-based pen-testing outfit Matasano Security, agrees that Apples inability to ship timely patches is a big problem, but he is critical of L.M.H. and Finisterre for releasing exploits without giving advance notice to the vendor.

      “The story should be about a vendor shipping products that put customers at risk. Instead, theyre making Apple into the victim,” Ptacek said, arguing that theres no justification for stockpiling flaws and exploits for the specific purpose of releasing them as part of a bug-a-day project. “Whats the purpose of that?” he asked.

      Ross Brown, CEO at eEye Digital Security, in Aliso Viejo, Calif., says his research team has found Apples engineers “very responsive” to flaw warnings. eEye has been credited with the discovery of several gaping holes in Apples QuickTime and iTunes applications and, at every stage of the disclosure process, Brown said Apples process worked very well.

      “They do have a problem with the time they take to provide a fix and the fact that theres no scheduled time for patches, but I dont think its fair to blame Apple for being unresponsive,” Brown said in an interview with eWEEK.

      When Apple—or any other vendor—is slow to patch, eEye uses a color-coded system on its upcoming advisories page to display the overdue nature of the fix.

      “I like what eEye does. They document how recalcitrant a vendor is without all the month-of-bugs grandstanding,” said Matasanos Ptacek.

      Rich Mogull, a VP of research in Gartners Information Security and Risk practice, was equally dismissive of the MoAB approach.

      “This Month of stuff is getting out of hand. As messed up as the industrys disclosure approaches may be, dumping code isnt the answer. [While] there is sometimes a time and place for releasing code, this clearly isnt it,” Mogull said.

      He described the project as the “cyber-equivalent of a self declared vigilante smashing everyones doors down while theyre away on vacation, leaving them as burglar-bait, to prove to them how weak their lock vendor is.”

      /zimages/3/28571.gifApple vulnerability project launches with QuickTime exploit. Click here to read more.

      Mogull warned that the daily release of exploit code “is only going to make us end users less secure, and make it even harder to deal with vendors.”

      Despite the disagreements—L.M.H. and Finisterre are considered heroes in the hacking community—Verniers Loveless believes the fallout from the negative publicity will force Apple to heed calls for the hiring of a security czar with clout to implement the necessary changes.

      “They need someone with real authority to drive decisions and that might actually force a change there. They have to change this smug, feisty approach to dealing with security. The notion that the Mac is secure is ridiculous. They need someone there to separate marketing from reality,” Loveless said.

      Apple did not respond to a request for an interview. In a statement sent to eWEEK when the MoAB was launched, company spokesman Anuj Nayar said Apple, “takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users.”

      Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Ryan Naraines eWEEK Security Watch blog.

      Ryan Naraine
      Ryan Naraine

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      MOST POPULAR ARTICLES

      Artificial Intelligence

      9 Best AI 3D Generators You Need...

      Sam Rinko - June 25, 2024 0
      AI 3D Generators are powerful tools for many different industries. Discover the best AI 3D Generators, and learn which is best for your specific use case.
      Read more
      Cloud

      RingCentral Expands Its Collaboration Platform

      Zeus Kerravala - November 22, 2023 0
      RingCentral adds AI-enabled contact center and hybrid event products to its suite of collaboration services.
      Read more
      Artificial Intelligence

      8 Best AI Data Analytics Software &...

      Aminu Abdullahi - January 18, 2024 0
      Learn the top AI data analytics software to use. Compare AI data analytics solutions & features to make the best choice for your business.
      Read more
      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Video

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2024 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×