Newsmaker: Tribble on Apple's security troubles

(continued from previous page)

Might we see Apple put its alerts on a schedule or adding information to its security alerts? Are there any plans for changes there?
Tribble: If users have feedback on other things they'd like to see, we always are listening to that. It has been satisfactory. As I say, communicating--whether it is in bulletins, or talking to you--we're always happy to talk about our security story, because we think we have a pretty good one.

In your current security update, you tweaked the download validation function. Does that update include anything that will protect users if they download files using an application other than Safari, iChat or Mail?
Tribble: The download validation that we do is in Safari and Mail and iChat. We strengthened that validation, and we believe that the vast majority of the issues that come up along these lines have to do with downloads that come in either through Safari, or iChat or Mail.

Some experts have suggested that you should put protections at a lower level in the operating system, so it would be impossible to make a file look innocent, while it is actually malicious. Have you taken that on and done any work on it?
Tribble: Well, yes. We're definitely always taking in the feedback. We're always listening to good ideas.

Of the issues that Apple addresses in its new update, is anything actually being abused or exploited for attacks on Mac users?
Tribble: That's a good point. None of these issues are things where there are exploits in the wild. In a way, you could say these are preemptive fixes to prevent potential problems from arising.

I think everything in the update is important from that standpoint. Things we're putting out increase the level of security in Mac OS X.

Last year, your security updates came about once a month, or with even longer pauses. Now you've released a security update two weeks after another. Does this indicate that you have to deal with a higher number of security issues in the OS, or is that just a coincidence?
Tribble: We tend to respond as rapidly to issues as they are found by the community. We're really driven more than anything by trying to get a timely response out there.

So the answer is no. Your issuing another patch within two weeks of your first patch doesn't mean that there are more vulnerabilities in Mac OS X to be fixed?
Tribble: I think it just means that we're working hard. We're not targeting any fixed schedule, we're actually trying to be timely in our response.

Another thing that experts sometimes suggest is that Mac OS security is suffering because it now runs on an Intel platform. Is that just a fairy tale?
Tribble: I don't believe that is true. Security issues target specific OSes, and the instruction set does not really have a huge effect on that. Furthermore, all of the mechanisms that we had and are developing are working equally well on PowerPC and Intel. If anyone is concerned that somehow moving to a new architecture, that somehow all of the security work that we have done in Mac OS gets left behind, that's not the case.

Some security researchers say Apple is a pain to deal with. The say you don't respond quickly and they feel like information on security vulnerabilities is going down a black hole. I am sure you don't agree with that assessment.
Tribble: There is a quite active security community out there in terms of CERT, FIRST and the BSD security community. We are in close touch with those guys. When there is external issues reported and we fix them, we thank the submitter. I would not agree with that characterization.

Do you have a process in place for responding to security researchers?
Tribble: Yes we do. There is a security Web page and there is a mail alias, which is product-security@apple.com.

In terms of your dealings with individual security researchers, do you feel like you have a good rapport with them? And is that important to you?
Tribble: I think we do. There is a very broad set of people out there who are doing something or other with security. I think we attempt to deal with them all with a pretty even-handed policy that optimizes us getting the information that we need to fix the issues.

Do you compare yourself with any other software vendor when it comes to security?
Tribble: We just do the best job we can. We are focused on it, all up and down the levels of the company. We know that it impacts the experience that our customers are going to have.  

More Newsmakers

[Earl Benser]

Not exactly news....

.... It must be a dull morning at CNET.

[BruceLawrence]

How common is your reply?

Every report or at least 90% of the reports that talk about the Mac or OSX anything regarding the Apple that may be bad PR, there always seems to be someone who has this compelling urge to call it "not news". Why do I even feel compelled to reply to you?

'must be a dull morning...' 'must be a slow day...' etc

Half the time they say this when the top of the page says "BLOG".

If this wasn't news then why did the guy from Apple even show up?

[MikeyT5663]

I'm glad that Apple is doing this

Well I am glad that Apple is taking care of this and staying on top
of things. Whenever I see that there is a new security update I am
comforted that the company that I trust actually cares about the
products it manufactures, a company that is even willing to offer
secure systems with free security updates. Other companies do not
do this, some even charge you 50 dollars a year to do that.....

[schlegelmc]

Apple's [over exaggerated by news.com] security troubles

news.com is my homepage. It's been so for over 6 years. So, I can
say with the benefit of familiarity that this is one of those issues
that news.com is beating to death so will generate some real news.
I've seen them do it before--keep pounding at an issue so long
that some real news happens due to their pounding.

So, OK already. Tribble has granted news.com an interview to
discuss Mac OS X security. Great. Finally, some real news. Good
work, I guess.

[l.evans]

same questions

...yes, shame once they had him sat down and willing to talk they
didn't ask him more than one question, over and over and over
again...

[stealt403]

only exaggerated a little

I think news.com exaggerates the apple threats a little bit, but they are really just pointing out that apples OS is not perfect (don't tell an apple user that unless you want to get stabbed or argue for hours on end)and that it has some problems too, though not as numerous as XP.

[jwarren.carroll]

Puppet Masters

The first couple of these stories were rather amusing to watch the tidal wave of argumentative comments. I participated at first, but quickly realized the pointless nature of the entire tirade.

I understand that you all care what computer you use, but is it really worth it to worry about what computer your neighbor uses. This is like the very US argument between Ford and Chevy. Be it Mac, Linux, PC, or whatever else you choose, they all have pros and cons.

I do get the feeling though that there are a group of C|net guys laughing themselves to death by reading these posts. They are pulling our strings to get a response from us, because arguments generate hits.

C|net has some carnies working for them. They will guess your weight, give you balloons, feed you cotton candy, but at the end of the day they only care about one thing. These guys need the carnival to keep going, and they will do whatever it takes to make that happen.

I am a PC user, but I will have to admit that this issue is getting pretty old, as is the debate over who's computer is "Cooler". So argue away if you will, yell and scream, but you are just a sad form of entertainment to some guys who have run out of original material.

[stealt403]

Funny you should post and degrade other posters

I for one am not trying to impress CNet's staff with my posts. If I want to comment on a story I will and don't think "Will CNet staff think I'm cool if I post?"
A business promoting a sensational idea/story/product to increase sales or hits? CNet is truly a pioneer. This must be the first time anything like this has happened.

I do agree that Mac v PC debates on Cnet are getting old. But then again, here I am.

[scweezil]

Why come here & post?

If you didn't care...you wouldn't be here. It's called keeping them
honest. Seems this sight has plenty of issues with that.

[M C]

CNet, try and find SOME professionalism.

"So the answer is no."

Keep your sarcasm to yourself. I know Apple = page views for CNet, but the whole adversarial thing makes you look like a troll. Seriously.

[jmanico]

joke article

What a joke - this is the biggest puppet master story I have ever seen. What is happening to you, CNET?

[regan2]

the best part is..

the best is that the interviewer acts like Apple really even has a
segment of the IT business anyways.

what, so like three dudes are mad because it's not on a "schedule"?

[swift2--2008]

Agenda-Driven Drivel

The interviewer desperately wants to suggest that Apple
"should" put its security updates on a schedule, like Microsoft's,
and that "IT managers" are demanding it. Who? Why? Why is it
"better"? Because Microsoft was forced to do it by the blizzard of
viruses and Trojans on their platform? Why not just fix the
problems, or potential problems, as they come up? Is Apple
deficient for not doing things the "Microsoft Way"?

If C/Net has an agenda here, they should come out and say it.
Oh, wait a minute, they have. Windows good, Mac bad. They're
just waiting for worms and viruses on the Mac, and the "iPod
killer" they keep announcing like their Great White Hope, so they
can go back to ignoring the Mac like they want to.

[kxmmxk]

exactly

A schedule isn't better. First it implies you have issues to fix every quarter (for example). MS clearly does, Apple doesn't. Second it means you won't get a fix sooner, no matter what. MS has more flaws to serious order of magnitude than the 2 Apple has. And most of MS flaws are not revealed unless they have a fix or someone else finds it and brings it up. They no about so many issues that they don't even tell people. Do people really think their regular security updates are fixing every problem known about?

As far as the recent flaws, the one with someone breaking into a Mac Mini was actually a situation where they had been given a legitimate account on the system first. The experiment was reproduced with no one having local accounts and no one was able to break in. Basic security says to limit access to your system through various methods.

But so much has been made about MS lack of security that they and theirs want to make a big deal of a little mole hill next to their mountain.

[bemenaker]

Explain to me how you get your "agenda"

I don't see it. But one thing I do see, and other posters here have agreed with, is that Tribble didn't answer the questions he was asked. There are three or four serious questions there, where all Tribble did was dribble pointless babble out without saying a thing. It's like listening to a politician speak. You hear lots of words, but where is the content?

[open-mind]

To Each His Own

A variable update schedule is better if you have a small number of updates. A regular update schedule is better if you have a large number of updates.

If Apple used Microsoft's approach, their users would have to wait longer to get the update, so it would not be as good.

If Microsoft used Apple's approach, they would be releasing updates every day which their customers would hate, so it would not be as good.

Microsoft's approach is better for Microsoft's customers.

Apple's approach is better for Apple's customers.

I think it's unfortunate the author doesn't seem to *get* that, and it's unfortunate that Tribble didn't *say* that.

[bmelnick]

Message has been deleted.

[Terry Murphy]

The ultimate security challenge?

Apple's "security troubles!?"

What security troubles? lol Frankly, this was a pretty boring
interview, and when you think about it, that's actually a great
thing. In reality, poor Tribble (no trouble with this Tribble) is a
reminder of the famous "Maytag repairman," who sat at his desk
and watched the clock all day, waiting for the call when his
services are truly needed. Every once in awhile the phone would
ring, but it was always just another false alarm. The "loneliest
job in the world." lol

Well, not to belabor the point, as MS Window's fanatics will never
get it anyway, so here's my little security challenge to any and all
MS Windows slaves:

Ready? I will turn off my OS X 10.4 installed firewall for one
week. You in turn will turn off your XP SP2 installed firewall and/
or any other 3rd party firewalls you have installed. (I have no 3rd
party firewall installed.) You will disable all anti-virus, et al.
software on your machine. (I have no anti-virus, et al software
installed.) Then, for a period of one week, surf the net. And what
I mean by surf is: go nuts! Download anything! Visit any site you
wish. No need to keep a record of where you've been because it
really doesn't matter.

After a week, let's see what condition your XP box is in
compared to my OS X box.

Any takers? lol

[CBSTV]

"security troubles"?

Have any OS X users experienced security problems?

[scweezil]

Scheduled MS Security Fixes

MS scheduled security fixes are a PR job. It contained the story
of how many problems they actually have. Remember when
stories were being released on an almost daily basis about
security issues with Windows? They were patching them as they
happened & not doing a very good job of that. Thus the
schedule. Now the security PR issues are pretty much contained
but not the actual security issue. On a schedule tells me that
they have plenty of issues that they know about & can not
possibly fix in a reasonable amount of time. Instead of fixing
them as they occur. There is probably a huge backlog. PR job all
the way. If an IT person needs a schedule they could have easily
done this themselves by downloading the patches once a month.
Why is it necessary for MS to provide them with this so called
better way. Makes absolutely no sense.

[BruceLawrence]

It's not better for MS, its better for us

When I say "us" I mean network administrators and corporations. Having them on a schedule makes our jobs so much easier in many ways.

The impact of randomly throwing updates out there can cause a serious disruption especially if the systems need to be rebooted afterwards. Especially if systems are running company machines and equipment.

MS has the most robust, flexible and stable way of deploying updates I have seen from any product. Probably because they've had tons of practice hehe. Really though, their mechanism for deploying updates works beautifully IMO.

Saying you're proactive is a good thing but when your updates become more frequent, users tend to get edgy.

The point of this article was to find out if more and more updates are expected from Apple at random times. If their updates become more frequent, I wouldn't be suprised if they take a scheduled type approach to deploying them.

[samis]

patches on a schedule

The reason Microsoft releases patches on a schedule is it was a request from large companies (where Windows is much more prevalent than Macs). It is not a PR job but rather companies needed to have some sense of when a patch would be released so they would have time to test it and make sure it didn't disrupt their users. And by the way, *every* OS has its security problems. These are made more apparent when the OS is more popular because its popularity provides a bigger payoff for hackers. So don't get any illusions. If OS/X had the same market share as Windows Apple would be busy releasing patches every week too. I'm a long time Unix hacker so don't give me all that crap about how OS/X is inherently more secure. Please.