Apple and security: Abuse and ignorance

Here we go again. Security experts warn that there is a hole in one of Apple’s products; Apple says there isn’t a problem; and a month later it releases a fix for it. I write a story pointing this out and am faced with mindless abuse from the Apple faithful.

Exactly the same thing has happened several times in the past and it’s not just me, it’s anyone that points out the startingly obvious: that OS X, Safari, MacBooks, whatever, do not exist within some holy forcefield of invulnerability – they are just electronic products.

The aggressive response is something that everyone who covers Apple security issues is faced with, causing many IT journalists to refer to the ranting and irrational Apple hordes as “Mac maniacs”.

It has also led to every major security company to warn at one time or another that the furiously defended immunity that Apple users appear to believe their products have, is unfounded. But still it continues.

Anyone who covers Apple’s security problems is very quickly faced with the same frustrating pattern. A hole is discovered and then Apple either refuses to discuss the issue or it says it is “looking into the issue” and refuses to say anything else until it has properly reviewed it. The company then produces a fix in its own time and releases it along with a whole bunch of other patches, providing the bare minimum of information in the hope no one notices.

At no point does it inform its users that there is a problem, and it goes out of its way to underplay the extent of the hole in the advisories when the fix is finally produced.

If a security company, frustrated at delays, goes public with the hole, Apple immediately criticises the company, and then claims the hole is not significant and it knows of no actual exploits. It does the same every time and this damage limitation is subsequently and consistently shown not to be true.

What’s crazy is that these exact same criticisms used to made of Microsoft, to the extent that the company’s security image has never recovered. But rather than go Microsoft’s more open and honest route, Apple has decided to go the ostrich route and rely on its own customers’ fierce loyalty to protect it. I really don’t see how this approach is sustainable.

So, after the latest malign missives, I figured I’d compile a few of these occasions as a response, rather than get sucked into pointless name-calling. I have no doubt I’ll have cause to update it and send it to people countless times in the future.

Problems? What problems!

August 2006

• Apple’s new Intel-based Mac laptops face random-shutdowns and a website, macbookrandomshutdown.com, is created. Apple refuses to discuss or acknowledge issue.

• SecureWorks security researchers report a hole in MacBook that allow someone to take control of the machine. Apple refutes the hole exists: “Despite saying the Mac is threatened by the exploit demonstrated at Black Hat, they have provided no evidence that in fact it is.” A month later, Apple releases a patch for the hole.

March 2006

• Apple releases third security patch in one month for Mac OS X. Johannes Ullrich of the SANS Institute’s Internet Storm Center complains that “Apple does not appear to offer the patches in distinct packages, which will make testing in larger environments tricky”.

• Apple Security Update 2006-002 causes network issues, system crashes and booting problems. It is replaced with 2006-002 v1.1.

• Microsoft Security Response Center manager Stephen Toulouse warns that Apple needs to wake up, hire a security chief, and put more information in its security advisories. “Mark my words, the company will have to seek outside expertise in the form of a head of security communications in the next 12 months.”

• Security company eEye complains that it told Apple of a critical vulnerability 153 days earlier but it still hadn’t been patched.

• Ken Dunham, director of the rapid response team at iDefense, warns that: “Many Macintosh users are more likely to be complacent toward computer security and therefore are more likely to be vulnerable to any future threats that emerge against the Macintosh operating system.”

February 2006

• Mac OS X hit by an instant messaging virus called Leap-A. Graham Cluley of Sophos warns. “Some owners of Mac computers have held the belief that Mac OS X is incapable of harbouring computer viruses, but Leap-A will leave them shell-shocked, as it shows that the malware threat on Mac OS X is real.”

• “Worst-yet” security flaw found in OS X. Symantec gives it a “high severity” rating; Secunia and FrSIRT, give it their highest severity ratings. Secunia chief technology officer Thomas Kristensen says: “Mac OS X users should be really careful these days.” Apple refuses to comment.

January 2006

• Apple patches five big holes in QuickTime. Kyle Haugsness of the SANS Internet Storm Center covers every aspect and stresses size of the hole: “Well that pretty much covers the whole Web browsing thing.” Apple response: “For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available.”

November 2005

• SANS warns that Mac OS X users “still face many vulnerabilities” and warns that “in certain cases exploit code has also been posted publicly”. It criticises Apple: “Apple frequently issues Mac OS X cumulative security updates that tend to include fixes for a large number of vulnerabilities with risk ratings ranging from critical to low. This complicates the tracking of vulnerabilities for this OS, and the best way to ensure security is to apply the latest cumulative patch.”

August 2005

• Apple pulls and re-releases a security patch (Security Update 2005-007) that covered holes in over 40 components but which rendered 64-bit applications unusable, sparking thousands of angry phonecalls.

April 2005

• MacOS marketing manager Brian Croll says “we have done our utmost to ensure that there are no security issues outstanding” and claims that there are no delays between Apple hearing about vulnerabilities and their being patched. “We deal with these things incredibly quickly, and we find that being part of the open source community means that there lots of eyes on the problem so issues get raised and solved quickly”.

• Apple releases a patch for a patch. Java Update for Mac OS X v10.3.9 after the earlier causes some websites to fail and the Safari browser to crash.

February 2005

• Apple releases Mac OS X patch for a major security hole in Java – three months after Sun’s original warning. No mention of the hole had been by Apple prior to the patch.

June 2005

• Security firm Immunity reports several holes in Darwin, the Unix implementation Apple calls the “rock-solid foundation” of Mac OS X. The vulnerabilities affect all recent versions of OS X. Apple says it will investigate the holes.

• Secunia warns that OS X’s reputation as a relatively secure operating system is unwarranted. “The myth that Mac OS X is secure has been exposed,” says chief executive Niels Henrik Rasmussen. A wide-ranging report states that 33 percent of OS X vulnerabilities discovered were “highly” or “extremely” critical, compared with 30 percent for Windows XP and 27 percent for Suse Linux. OS X also had the highest proportion of “extremely critical” bugs at 19 percent.

December 2004

• Security company NetSec says Apple had failed to fix a hole in the HFS+ filesystem despite claiming a fix it had put out covered the vulnerability. “They’ve slapped a band-aid on the problem,” complained NetSec’s Tom Parker.

October 2004

• New worm discovered for Mac OS X. “The computer’s state is compromised to the extent that anyone with knowledge of the script could login and access the log files containing serial numbers and passwords,” says Symantec.

May 2004

• Apple releases Mac OS X 10.3.4 without vital security patch (Security Update 2004-05-24) despite claiming that the release “includes recent Mac OS X Security Updates”.

• Apple falsely claims to have patched an extremely critical hole with an earlier “help” patch. The hole allows a malicious hacker to remotely execute code, and the company was informed of it over three months earlier. Apple dismissed it as “theoretical vulnerability” and claims there is not “any actual risk to our customers”.

• Head of Secunia, Niels Henrik Rasmussen, criticises Apple’s approach to security: “Microsoft and most Linux distributions have learned the lesson and properly describe the nature and the impact of (most) vulnerabilities, allowing their customers to properly estimate the severity of a fixed issue. This is not possible when reading an Apple update.”

• Security experts eEye say Apple is hurting its own user base: “Apple is doing a disservice to its customers by incorrectly labelling this vulnerability as a ‘crash bug’ rather than stating correctly that attackers can compromise systems running the affected Apple software.”

• Secunia decides it cannot trust Apple’s security assessments over another two holes: “The severity has been set to ‘highly critical’ because the unspecified issues are likely to be more severe than claimed by the vendor.”

April 2004

• Security company Intego is criticised for exaggerating the threat of a Trojan horse using a Mac vulnerability. “We are aware of the potential issue identified by Intego and are working pro-actively to investigate it,” Apple says. “While no operating system can be completely secure from all threats, Apple has an excellent track record of identifying and rapidly correcting potential vulnerabilities.” It is later confirmed that the file is malicious and wipes out a user’s Home folder when opened.

March 2004

• Security company @stake reports new holes in OSX to Apple. Apple says nothing about the holes. The US government produces its own advisory on the issue. Apple says nothing. The UK government produces an advisory. Apple puts up a notice on an alerts page, but does not inform users.