June 3, 2004 4:00 AM PDT

For Mac security, communication is key

When it comes to security, Apple Computer's report card reads like that of a gifted child: high marks for achievement, but needs to communicate better with others.

In general, the Mac operating system has seen far fewer bugs than its Windows counterpart. But some say a recent vulnerability demonstrates that the notoriously tight-lipped company must communicate more openly on security issues and move more quickly when it comes to plugging holes.

News.context

What's new:
After three years of avoiding viruses, Mac OS X has had its first case of the sniffles.

Bottom line:
Apple has a strong security record, evidenced by its virtually virus-free record, but some say the company needs to be better about communicating with customers and security researchers.

For more info:
Track the players

"I think there's room for improvement with their response speed on problems with their own code," said Chris Adams, a Mac user and system administrator for San Diego's Salk Institute for Biological Studies, a research center that's played a part in training five Nobel Prize-winning scientists. "The general pattern is complete silence for months and then a terse announcement when the update is released."

Adams said Apple has done a pretty good job of updating the operating system to fill holes found in various Unix components. But what is needed, Adams and others contend, is more dialogue about what the company is doing with regard to security.

"At the very least, they need to communicate with the people who report these problems, so it's obvious that work is happening," Adams said in an e-mail interview. "Depending on the problem, it may also be a good idea to announce a workaround if a fix won't be available quickly."


Get Up to Speed on...
Enterprise security
Get the latest headlines and
company-specific news in our
expanded GUTS section.


The issue of Apple's communication with the security industry came to the forefront last month. Researchers went public with a combination of vulnerabilities that, if exploited, could allow a Mac to be taken over by hackers. One of the researchers involved, a coder known as "lixlpixel," said he privately notified Apple of a problem in February but went public with his findings in May after not hearing back from the company.

Apple Senior Vice President Phil Schiller said the Mac's security is good and noted that the company is under more scrutiny now that the Mac is facing what he described as the first critical vulnerability since the release of Mac OS X three years ago.

According to Schiller, there was more to the critical issue Apple wound up addressing in May than just the flaw reported to the company several months earlier.

"What was learned in February was only a small piece of the picture and didn't present as great a threat," Schiller said. "The complete picture of this current threat has actually been very recent."

Beat of a different drum
Although the tech industry has guidelines that call for researchers to notify vendors of threats and then wait at least 30 days before going public, Schiller said Apple uses its own process to decide when to issue a patch, a process that takes into account Apple's assessment of the threat posed by the vulnerability.

Apple has released a partial patch, but security researchers say the OS remains vulnerable to attack.

Some of the other knocks on Apple's response to security issues also center on the company's communications. For example, critics have called on Apple to offer more detailed information on its Web site, as well as to offer a dedicated e-mail address for reporting bugs. But Schiller said Apple does both those things--security concerns can be sent to product-security@apple.com, and the company posts information on its Web site. But he conceded that many people don't know about those programs and that the company could be doing a better job.

"We're actually doing a lot of the right things people want," Schiller said. "They're just not aware of it."

There are, however, additional areas where Apple differs from other OS vendors. Unlike Microsoft and Red Hat, Apple does not have a life-cycle policy that guarantees which versions of the operating system will receive patches. Schiller said Apple makes those decisions on a case-by-case basis, rating the severity of the risks and balancing that with how hard it is to update older versions.

The company has offered updates to older versions in some cases but has not always been clear about those decisions. Last October, Apple waited several days before confirming it would offer a security patch for older systems. The initial silence by the company fueled speculation that Apple was going to leave older users unprotected.

While Microsoft has set up a separate security business unit to deal with such issues, Apple has decided not to. The responsibility falls broadly to the Mac OS X crew and other software product groups to ensure the security of their products, Schiller said. "It's everyone's job," he said. "We don't have to create a special team to solve these things...Everyone who works on software also works on security at some level or another."

Worse than it sounds?
Another critique, leveled by digital-security company @Stake, is that Apple has downplayed the threat of potential vulnerabilities in its descriptions of flaws.

In one example, Apple last month patched a series of holes including a buffer overflow in the Apple file-sharing system that could allow a remote attacker to take control of the system. Apple, though, described it as a correction "to improve the handling of long passwords."

"They are not characterizing the issue so that people can make a security decision about it," Chris Wysopal, @Stake's vice president of research and development, said last month. Apple "seems to think that everyone will update their computers all the time, and that is not the way the world works."

In another case, a security company called eEye said Apple rated as minor a QuickTime flaw eEye had found. Apple said the flaw in the QuickTime movie player for Mac OS X could cause the player to crash, while eEye said the real problem was that it could allow malicious code to be executed.

Schiller said Apple will look into how it communicates the details of potential threats.

"Certainly that is criticism we will take," Schiller said. "If people think we can do a better job of communicating some of this to everybody, than we will do a better job."

But some Mac users say that as long as Apple keeps potential problems from becoming real headaches, they don't need more detail from the company.

"I haven't been burned yet," said Lauren Connolly, a system administrator at the California Institute of Technology who has used Macs for 20 years. Connolly said she has never had a system infected because of something Apple didn't patch, nor has she had problems with any of the patches Apple has put out.

"They haven't given me any reason not to trust what they've been releasing," she said.

Indeed, the Mac's strongest selling point is its track record. Schiller and others point out that the Mac has proved to be a much lower security risk in recent years, with most of the vulnerabilities being caught at the potential stage--or before customers have actually been affected. Schiller said Apple has fixed 138 issues in 43 security updates since the debut of Mac OS X, with only one of those considered critical. "Windows XP has had 77 updates in that time," Schiller said. "Two-thirds of those updates have been critical."

Analysts agree that Mac OS X has so far proved to be more secure than Windows.

"They've had less patches," said Ray Wagner, a research director at Gartner. "We're not talking an order of magnitude (less). We're talking maybe half as many."

The bigger they are...
However, the question is whether that will continue to be the case. The Mac has attracted somewhat less attention from hackers because of its niche position in the PC market--it holds less than 5 percent market share worldwide. Because Macs are fewer in number, it would be tough for a Mac-centered mass-mailing worm to find enough targets to allow it to propagate effectively.

On the flip side, the company is gaining cachet in the Unix world that some say could make Apple a juicier target in the future. Additionally, security companies may devote more time to finding Mac OS holes, which could lead to more discoveries.

Others say the current challenges add up to adolescent growing pains as the company and Mac OS X mature.

"Apple is coming to terms with dealing with these types of issues," said independent security researcher Richard Forno, who also noted that Apple has offered a much more stable and secure option than Windows.

Most of the vulnerabilities that have been found have been in the Mac's Unix underpinnings, rather than in the Mac OS shell. And the code base itself--a version of BSD Unix--is pretty well tried and true because it's been in use for more than a decade.

Despite its relative stability, one challenge is that the average Mac user may not even be aware that the OS contains all this Unix code that could potentially have holes.

"It's kind of new for all Mac users, unless they had a good Unix background to begin with," said Michael Junkroski, who, along with his brother Patrick, runs VSM.net, a Florida-based IT consultancy that is an all-Mac shop. "I think we were all probably a little lax because we thought the OS was impenetrable."

Junkroski said there are 55,000 viruses in the wild that affect Windows machines, compared with zero for Mac OS X. "In theory, a few (vulnerabilities) have been found. In practice, nothing has happened."

For its part, Schiller said, Apple has learned some lessons and is working on a complete fix for the latest bug.

"We fixed one part of what is a complex problem. We're working on fixes to the other parts, and there will be more coming," Schiller said. "We were more interested in getting out the first part of the fix as fast as we can...It can help people right now. Now we'll follow up with more things as we finish the rest of this complex problem."

6 comments

Join the conversation!
Add your comment
Infections Still a Theory on Mac?
Just like anyone could get ebola - but if you don;'t eat infected monkey, what are your odds?

Did any of the 25 million people macs get even a single malware/infection? Anyone actually on this planet actually have to deal with the consequences of the malware?

So, while we should be wary of ebola - if you're in the nice suburbs, you have much less less to worry about than those who live in neighborhoods (PC users) with infected monkeys running around.
Posted by jbelkin (167 comments )
Reply Link Flag
they just have to invent ways to slam Apple
So even when Apple's record is so far superior to windows, it's amazing, they still have to find soome way to spin it to slam Apple down.

A whole article about bad bad Apple, and a couple of lines about how MS is so much worse.

No comments about how secretive MS is. We've had dealing with MS at several companies I've worked for, and they never admit to anything. Usually, if you're lucky, you find a developer that you've dealt with before that will tell you on the QT what the problem is and the work around. But no one is supposed to know about the problem. So customers just keep getting screwed over.

But it appears that no matter how well Apple does, there are those in the industry, including here at CNET, that are just dying for Apple to fail. And they will do anything to try and help that along. How many times in the last 20 years have we heard that Apple was dead?? :)
Posted by kxmmxk (320 comments )
Reply Link Flag
Critique of CNET reporting
I agree with your criticism of CNET's reporting on the dubious issue of software vender openess. CNET's reporting has been highly selective and targeted almost exclusively at Apple.

Maybe worse are yellow-journalism CNET headlines. From the coverage and headlines, one is given the false impression that it is Mac OS that hosts the worms and viruses that flood firewalls with exploit attempts and denial-of-service attacks.

The open communication issue is a false one -- a red herring created with an agenda that is not in the best interests of OS security or of Mac OS users.
Posted by (7 comments )
Link Flag
The marketshare has been debunked allready
Mac OS X doesn't have viruses because it's more secure than
Windows. That's all there is to it. The whole "Apple only has 5%,
so they're not as big a target" has been debunked by numerous
people, interestingly enough, the Apple bashing Dvorak himself.

The problem is that viruses can only really infect your home
folder, assuming you're stupid enough to type in your
administrative password. Viruses also can't effect your system
unless you sudo or log in as root, which is disabled by default.
You either have to sudo through the terminal or enable Root
through NetInfo manager. Either way, it's really hard to write
viruses for Mac OS X (or UNIX for that matter.)
Posted by olePigeon (39 comments )
Reply Link Flag
Apple security methods are correct
Apple's approach to OS security is correct. The self-appointed "experts" are uncategorically wrong. If Apple were to do as @Stake's vice president recommends, it would be a disservice to MacOS users. Apple's outstanding, life-cycle evaluation of Mac OS security is unique in the personal computer industry.

Mac OS users don't "make a decision" about software updates from Apple. Apple updates are rare, and security updates are clearly identified. @Stake's vice president's statement about what Apple thinks about its customers' habits is a false assumption and not based on reality.

Supposed security "experts" would have Apple report in detail to those who identify security flaws. This is not good security practice. Apple generally identifies security updates. Apple would be wrong to announce "progress" or the future date for the repair of a security flaw, thereby identifying a target date for attackers. To do so is nonsense and only incites those intent on exploiting a flaw to intensify their efforts.

It is Apple's responsibility to analyze and evaluate the severity of security problems, and to release updates as required. Misdirected critique by the current batch of "experts" is most indicative of spoiled children who aren't allowed to play in their neighbor's pool.
Posted by (7 comments )
Reply Link Flag
Apple is wise
It is so smart not to give imformation to nasty security company,
bacause they are making virus for their profit.
If there is no security hole, their business is over.
They are pretending the good company but in fact they are
hiring hackers.
Posted by (1 comment )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.