March 15, 2006 4:00 AM PST

Newsmaker: Tribble on Apple's security troubles

See all Newsmakers
Tribble on Apple's security troubles
Apple Computer has been notoriously tight-lipped about security. But lately there have been some breaks in the company's traditional silence.

On Monday, the Cupertino, Calif.-based company released the second set of Mac OS X security fixes in two weeks. Typically, Apple publishes its concise security alert on its Web site and Mac users will find the update when their computer checks for updates. That happens automatically every week on default Mac OS X installations.

But this time, Apple made Bud Tribble, one of the key architects of Mac OS, available to CNET to talk about the security of Mac OS and the company's security update process.

Tribble, vice president of software technology, started at Apple in the early days of the company, as manager of the original software team and helped to design Mac OS. He rejoined Apple in 2002 after leaving the company to work on various ventures, including the NeXT Computer, which he helped found with current Apple CEO Steve Jobs.

Apple fans have long loved to point out the safety of using Mac OS X, which has mostly been left alone by hackers. But Mac OS X safety has been scrutinized in the past weeks, prompted by the discovery of two worms and the disclosure of a serious vulnerability. Security experts also have questioned the effectiveness of Apple's March 1 patch.

While recent events have some asking if Mac OS' charmed security life is over, Apple certainly doesn't think it is. The company's security updates are largely preemptive, Tribble notes. And though the company may start to talk about security in a more public forum, that doesn't mean it is overhauling its practices, for example by putting security patches on a schedule, like Microsoft, Oracle and Adobe Systems do, or plan to do.

Tribble recently spoke with CNET to discuss Apple and its approach to security.

Q: Are you on any kind of schedule with security updates, or do you just issue them as they come along?
Tribble: We issue them as they are needed. We don't have a fixed schedule, say a monthly specific update. We actually are driven by making sure that the issues we find are addressed in a timely manner. We realize that certainly some IT managers desire a fixed schedule, but we think that the majority of our users are served by us getting the fixes out in a timely manner, when it makes sense.

You don't rate any of the vulnerabilities that you fix. Can you actually say which issue is considered the most severe?
Tribble: We don't do that. We don't, for example, say that these two are "critical" and the other ones are not critical. We don't do that, because we recommend that if we put out fixes in a security update, that you install them all. That's why we put them there.

One of the things we want to avoid is--say we started splitting hairs and calling some subset of them critical--I think we would end up with users eventually only installing the critical fixes, when we actually think that they should all be installed.

When you compare your security alerts with Microsoft's, for example, then you have less information in your alerts. Is that intentional?
Tribble: I am not sure we actually have less information. We describe the fixes, and we relate them to which components are being fixed. We have CVE (Common Vulnerabilities and Exposures) ID numbers, and we thank the people who submitted them. I think the actual content is pretty similar.

It is a big change that you're actually talking to the media about security. Is this part of a bigger change around Apple communicating its security updates?
Tribble: We feel like we have a very proactive approach to security and engineering and marketing and responding to these things. Communicating with you is just part of that.

You used to not talk about your updates at all. Now you are, is that part of a bigger change? Or is this the only change we're going to see?
Tribble: It is probably not true that we've never talked about things. I think that talking about these things and communicating is part of our overall approach to security.

More Newsmakers

CONTINUED: Always listening to feedback…
Page 1 | 2

See more CNET content tagged:
security update, Apple Mac OS, schedule, Apple Computer, security


Join the conversation!
Add your comment
Not exactly news....
.... It must be a dull morning at CNET.
Posted by Earl Benser (4310 comments )
Reply Link Flag
How common is your reply?
Every report or at least 90% of the reports that talk about the Mac or OSX anything regarding the Apple that may be bad PR, there always seems to be someone who has this compelling urge to call it "not news". Why do I even feel compelled to reply to you?

'must be a dull morning...' 'must be a slow day...' etc

Half the time they say this when the top of the page says "BLOG".

If this wasn't news then why did the guy from Apple even show up?
Posted by BruceLawrence (90 comments )
Link Flag
I'm glad that Apple is doing this
Well I am glad that Apple is taking care of this and staying on top
of things. Whenever I see that there is a new security update I am
comforted that the company that I trust actually cares about the
products it manufactures, a company that is even willing to offer
secure systems with free security updates. Other companies do not
do this, some even charge you 50 dollars a year to do that.....
Posted by MikeyT5663 (4 comments )
Reply Link Flag
Apple's [over exaggerated by] security troubles is my homepage. It's been so for over 6 years. So, I can
say with the benefit of familiarity that this is one of those issues
that is beating to death so will generate some real news.
I've seen them do it before--keep pounding at an issue so long
that some real news happens due to their pounding.

So, OK already. Tribble has granted an interview to
discuss Mac OS X security. Great. Finally, some real news. Good
work, I guess.
Posted by schlegelmc (3 comments )
Reply Link Flag
same questions
...yes, shame once they had him sat down and willing to talk they
didn't ask him more than one question, over and over and over
Posted by l.evans (5 comments )
Link Flag
only exaggerated a little
I think exaggerates the apple threats a little bit, but they are really just pointing out that apples OS is not perfect (don't tell an apple user that unless you want to get stabbed or argue for hours on end)and that it has some problems too, though not as numerous as XP.
Posted by stealt403 (48 comments )
Link Flag
Puppet Masters
The first couple of these stories were rather amusing to watch the tidal wave of argumentative comments. I participated at first, but quickly realized the pointless nature of the entire tirade.

I understand that you all care what computer you use, but is it really worth it to worry about what computer your neighbor uses. This is like the very US argument between Ford and Chevy. Be it Mac, Linux, PC, or whatever else you choose, they all have pros and cons.

I do get the feeling though that there are a group of C|net guys laughing themselves to death by reading these posts. They are pulling our strings to get a response from us, because arguments generate hits.

C|net has some carnies working for them. They will guess your weight, give you balloons, feed you cotton candy, but at the end of the day they only care about one thing. These guys need the carnival to keep going, and they will do whatever it takes to make that happen.

I am a PC user, but I will have to admit that this issue is getting pretty old, as is the debate over who's computer is "Cooler". So argue away if you will, yell and scream, but you are just a sad form of entertainment to some guys who have run out of original material.
Posted by jwarren.carroll (84 comments )
Reply Link Flag
Funny you should post and degrade other posters
I for one am not trying to impress CNet's staff with my posts. If I want to comment on a story I will and don't think "Will CNet staff think I'm cool if I post?"
A business promoting a sensational idea/story/product to increase sales or hits? CNet is truly a pioneer. This must be the first time anything like this has happened.

I do agree that Mac v PC debates on Cnet are getting old. But then again, here I am.
Posted by stealt403 (48 comments )
Link Flag
Why come here & post?
If you didn't wouldn't be here. It's called keeping them
honest. Seems this sight has plenty of issues with that.
Posted by scweezil (171 comments )
Link Flag
CNet, try and find SOME professionalism.
"So the answer is no."

Keep your sarcasm to yourself. I know Apple = page views for CNet, but the whole adversarial thing makes you look like a troll. Seriously.
Posted by M C (598 comments )
Reply Link Flag
joke article
What a joke - this is the biggest puppet master story I have ever seen. What is happening to you, CNET?
Posted by jmanico (55 comments )
Reply Link Flag
the best part is..
the best is that the interviewer acts like Apple really even has a
segment of the IT business anyways.

what, so like three dudes are mad because it's not on a "schedule"?
Posted by regan2 (29 comments )
Link Flag
Agenda-Driven Drivel
The interviewer desperately wants to suggest that Apple
"should" put its security updates on a schedule, like Microsoft's,
and that "IT managers" are demanding it. Who? Why? Why is it
"better"? Because Microsoft was forced to do it by the blizzard of
viruses and Trojans on their platform? Why not just fix the
problems, or potential problems, as they come up? Is Apple
deficient for not doing things the "Microsoft Way"?

If C/Net has an agenda here, they should come out and say it.
Oh, wait a minute, they have. Windows good, Mac bad. They're
just waiting for worms and viruses on the Mac, and the "iPod
killer" they keep announcing like their Great White Hope, so they
can go back to ignoring the Mac like they want to.
Posted by swift2--2008 (197 comments )
Reply Link Flag
A schedule isn't better. First it implies you have issues to fix every quarter (for example). MS clearly does, Apple doesn't. Second it means you won't get a fix sooner, no matter what. MS has more flaws to serious order of magnitude than the 2 Apple has. And most of MS flaws are not revealed unless they have a fix or someone else finds it and brings it up. They no about so many issues that they don't even tell people. Do people really think their regular security updates are fixing every problem known about?

As far as the recent flaws, the one with someone breaking into a Mac Mini was actually a situation where they had been given a legitimate account on the system first. The experiment was reproduced with no one having local accounts and no one was able to break in. Basic security says to limit access to your system through various methods.

But so much has been made about MS lack of security that they and theirs want to make a big deal of a little mole hill next to their mountain.
Posted by kxmmxk (320 comments )
Link Flag
Explain to me how you get your "agenda"
I don't see it. But one thing I do see, and other posters here have agreed with, is that Tribble didn't answer the questions he was asked. There are three or four serious questions there, where all Tribble did was dribble pointless babble out without saying a thing. It's like listening to a politician speak. You hear lots of words, but where is the content?
Posted by bemenaker (438 comments )
Link Flag
To Each His Own
A variable update schedule is better if you have a small number of updates. A regular update schedule is better if you have a large number of updates.

If Apple used Microsoft's approach, their users would have to wait longer to get the update, so it would not be as good.

If Microsoft used Apple's approach, they would be releasing updates every day which their customers would hate, so it would not be as good.

Microsoft's approach is better for Microsoft's customers.

Apple's approach is better for Apple's customers.

I think it's unfortunate the author doesn't seem to *get* that, and it's unfortunate that Tribble didn't *say* that.
Posted by open-mind (1027 comments )
Reply Link Flag
Message has been deleted.
Posted by bmelnick (1 comment )
Reply Link Flag
The ultimate security challenge?
Apple's "security troubles!?"

What security troubles? lol Frankly, this was a pretty boring
interview, and when you think about it, that's actually a great
thing. In reality, poor Tribble (no trouble with this Tribble) is a
reminder of the famous "Maytag repairman," who sat at his desk
and watched the clock all day, waiting for the call when his
services are truly needed. Every once in awhile the phone would
ring, but it was always just another false alarm. The "loneliest
job in the world." lol

Well, not to belabor the point, as MS Window's fanatics will never
get it anyway, so here's my little security challenge to any and all
MS Windows slaves:

Ready? I will turn off my OS X 10.4 installed firewall for one
week. You in turn will turn off your XP SP2 installed firewall and/
or any other 3rd party firewalls you have installed. (I have no 3rd
party firewall installed.) You will disable all anti-virus, et al.
software on your machine. (I have no anti-virus, et al software
installed.) Then, for a period of one week, surf the net. And what
I mean by surf is: go nuts! Download anything! Visit any site you
wish. No need to keep a record of where you've been because it
really doesn't matter.

After a week, let's see what condition your XP box is in
compared to my OS X box.

Any takers? lol
Posted by Terry Murphy (82 comments )
Reply Link Flag
"security troubles"?
Have any OS X users experienced security problems?
Posted by CBSTV (780 comments )
Reply Link Flag
Scheduled MS Security Fixes
MS scheduled security fixes are a PR job. It contained the story
of how many problems they actually have. Remember when
stories were being released on an almost daily basis about
security issues with Windows? They were patching them as they
happened & not doing a very good job of that. Thus the
schedule. Now the security PR issues are pretty much contained
but not the actual security issue. On a schedule tells me that
they have plenty of issues that they know about & can not
possibly fix in a reasonable amount of time. Instead of fixing
them as they occur. There is probably a huge backlog. PR job all
the way. If an IT person needs a schedule they could have easily
done this themselves by downloading the patches once a month.
Why is it necessary for MS to provide them with this so called
better way. Makes absolutely no sense.
Posted by scweezil (171 comments )
Reply Link Flag
It's not better for MS, its better for us
When I say "us" I mean network administrators and corporations. Having them on a schedule makes our jobs so much easier in many ways.

The impact of randomly throwing updates out there can cause a serious disruption especially if the systems need to be rebooted afterwards. Especially if systems are running company machines and equipment.

MS has the most robust, flexible and stable way of deploying updates I have seen from any product. Probably because they've had tons of practice hehe. Really though, their mechanism for deploying updates works beautifully IMO.

Saying you're proactive is a good thing but when your updates become more frequent, users tend to get edgy.

The point of this article was to find out if more and more updates are expected from Apple at random times. If their updates become more frequent, I wouldn't be suprised if they take a scheduled type approach to deploying them.
Posted by BruceLawrence (90 comments )
Link Flag
patches on a schedule
The reason Microsoft releases patches on a schedule is it was a request from large companies (where Windows is much more prevalent than Macs). It is not a PR job but rather companies needed to have some sense of when a patch would be released so they would have time to test it and make sure it didn't disrupt their users. And by the way, *every* OS has its security problems. These are made more apparent when the OS is more popular because its popularity provides a bigger payoff for hackers. So don't get any illusions. If OS/X had the same market share as Windows Apple would be busy releasing patches every week too. I'm a long time Unix hacker so don't give me all that crap about how OS/X is inherently more secure. Please.
Posted by samis (1 comment )
Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.