Apple criticized for security advisories

A researcher has again taken Apple Computer to task for not adequately labeling the seriousness of the security flaws described in its advisories.

Patches for five vulnerabilities released Monday fix various components of the Mac OS X operating system. The greatest threat is a buffer overflow in the Apple file-sharing system that could allow a remote attacker to take over control of the system. But the company described it as a correction "to improve the handling of long passwords."

		Get Up to Speed on... Enterprise security Get the latest headlines and company-specific news in our expanded GUTS section.

"They are not characterizing the issue so that people can make a security decision about it," said Chris Wysopal, vice president of research and development at @Stake, a digital security firm that found the flaw and reported it to Apple. "It seems they think that everyone will update their computers all the time, and that is not the way the world works."

Most security companies normally classify a remotely exploitable software flaw as a "critical" vulnerability.

Wysopal is the second researcher in a week to criticize Apple for downplaying the vulnerabilities in its system. eEye Digital Security, the company that found a flaw in Apple's QuickTime multimedia player in February, also claimed that Apple is not properly characterizing vulnerabilities.

Apple said the flaw in the QuickTime movie player for Mac OS X could cause the player to crash. "Playing a malformed .mov (movie) file could cause QuickTime to terminate," the company stated in an advisory it published late Friday afternoon.

However, eEye said a movie file could be created that would cause malicious code to execute when the user opened the file.

"We told them that if you are not able to execute code, then talk to us, so we can show you the issues," said Marc Maiffret, chief hacking officer at eEye.

An Apple representative could not be reached for comment.

Four flaws, including the flaw in the AppleFileServer, affect Mac OS X 10.2.8, also known as Jaguar. All five flaws affect Mac OS X 10.3.3, or Panther.

[Clues]

Mac's extreme vunerability

I can certainly see why these pundits are screaming about the
Mac's extreme vulnerability, after all we all know there are
millions of Windows computers being infected from the daily
parade of new viruses. The thousands of security holes waiting
and discovered in Windows is simply an impossible security
situation, because there is no way to fix the problem, so
Microsoft must daily try to patch holes already being exploited.
This will never end as long as there is Windows and those who
blindly use this archaic 1970 concept of an operating system.
Nobody would ever attempt to use anything but a UNIX base that
is tried and tested if starting a new operating system for modern
computing and security.

So this brings us to the long list of front men for Microsoft who
daily shovel ever more FUD (bs) about how vulnerable the Mac is
and how Macs are the continuous source of virus infections
destroying every Mac in sight through their masses of
vulnerabilities.

Interestingly there has never been a Mac OS X virus and all the
vulnerabilities are foreclosed by Apple before one single Mac is
ever compromise by these fictitious viruses that, well don't exist.

The credibility of these media / security flakes is, yes,
nonexistent. To read all the hundreds of headlines about Mac
vulnerabilities you would think they had 90% of the OS market
and used the flakiest operating system out there instead of
having the most tested UNIX, most secure UNIX and a absolutely
no viruses or exploited vulnerabilities ever.

If it's not crystal clear that Microsoft is trying to drag the Mac
down to their pathetic level well your simply not a thinking
person and have no discernment at all.

[gpm]

First i've heard

Actually, this is the first story i've ever read or heard about Mac vulnerabilities. Now, i'm not necessarily reading all the same publications you are, but i consider myself reasonably well-informed, and if any subject had such a deluge of stories as you describe, i'm sure i would have heard of it.

I'm no fan of M$ either, but i'm uncomfortable with this aggressive sensitivity so many Mac people seem to have. If you love your system, that should be good enough for you; why does it matter whether anybody else wants to use it?

[a9mike]

This story is a joke

And it's not even funny. Yes, OS X (Panther) is not perfect,
although very close, and no operating system is or ever will be.
Bottom line as quoted by an independant analysis...

"If Windows with its known vulnerabilities has proven good
enough for corporate use, OS X is certainly as good as that
standard, if not better in certain ways," - Michael Gartenberg of
Jupiter Research - http://www.jupiterresearch.com/bin/item.pl/
home

Yeah, this story is a joke

What's the point of posting this story the DAY after Apple
released another security update and about a week after the
Quicktime update came out? Mac OS X is incredibly secure and
there is no sense drawing attention to outdated concerns to
Apple while Microsoft windows system are being shredded to bit
by saaaer?

[Jonathan]

Its only important when you have 30+ patches a year.

OK I don't own a Mac or OS X: Panther but I think the number of sec patches is less then 10. Windows XP has something around 40+ total not including SP1. When you have 10 freaking patches you don't need to have a system setup for how critical a patch is.

You see with Windows you are so freaking inundated you need to make the decision on which patches need to be installed and which ones don?t. This is a FUD tactic pure and simple.

Unbiased List of Security Vulnerabilities

For a clear unbiased view of the Security Vulnerabilites involved
in Windows vs Macinotosh format check out this link:

http://www.ciac.org/ciac/bulletinsByType/bul_vendor_list.html

Click on the links under "Vendor" for Apple and Microsoft and
scroll down through them and you will get a very clear idea of
the differences in the securities of the two systems. This article
seems to be FUD pure and simple.

Hog Wash

funny how every time I read articles critical of the Mac os
there always seems to be a microsoft ad right next to it...
coincidence??
you decide.

[tooner440]

windows vs. mac

IMO, an accuarate comparison can't possibly be made until the Mac enjoys, or suffers from (however you want to look at it) a 90% market share. Until that happens, opinions are welcome, but can't possibly be anything but pure conjecture.

You guys are too critical.

All the story is talking about is that Apple didn't tell people how severe the problem is. What's wrong with that? Isn't it the truth? I know I sure as hell would like to know what's going on. Apple was sugar coating it, and that's not right.

The unknown

Okay, let's face facts ... Mac has a couple of security problems (which are now resolved.) Considering that it covers pretty much everything that people ever want or need in a personal computer, thats not too bad in my book.

Windows (esp XP) has had security patches nearly every single week ever since it was released ... but you know the scary thing? These patches are only on the security holes Microsoft know about ... what about the ones that MS don't know about and until someone 'honest' jumps up and says, "Hey, look!" ... they (hackers, etc) will simply carry on exploiting a very unsecured and flawed OS.

I've decided after many months of suffering spyware and viruses (yes, I do have a firewall and virus checker) on my Windows XP, that I'm moving to Mac's OSX.

Goodbye MS, no hard feelings aye?!