Newsmaker: Tribble on Apple's security troubles

Apple Computer has been notoriously tight-lipped about security. But lately there have been some breaks in the company's traditional silence.

On Monday, the Cupertino, Calif.-based company released the second set of Mac OS X security fixes in two weeks. Typically, Apple publishes its concise security alert on its Web site and Mac users will find the update when their computer checks for updates. That happens automatically every week on default Mac OS X installations.

But this time, Apple made Bud Tribble, one of the key architects of Mac OS, available to CNET News.com to talk about the security of Mac OS and the company's security update process.

Tribble, vice president of software technology, started at Apple in the early days of the company, as manager of the original software team and helped to design Mac OS. He rejoined Apple in 2002 after leaving the company to work on various ventures, including the NeXT Computer, which he helped found with current Apple CEO Steve Jobs.

Apple fans have long loved to point out the safety of using Mac OS X, which has mostly been left alone by hackers. But Mac OS X safety has been scrutinized in the past weeks, prompted by the discovery of two worms and the disclosure of a serious vulnerability. Security experts also have questioned the effectiveness of Apple's March 1 patch.

While recent events have some asking if Mac OS' charmed security life is over, Apple certainly doesn't think it is. The company's security updates are largely preemptive, Tribble notes. And though the company may start to talk about security in a more public forum, that doesn't mean it is overhauling its practices, for example by putting security patches on a schedule, like Microsoft, Oracle and Adobe Systems do, or plan to do.

Tribble recently spoke with CNET News.com to discuss Apple and its approach to security.

Q: Are you on any kind of schedule with security updates, or do you just issue them as they come along?
Tribble: We issue them as they are needed. We don't have a fixed schedule, say a monthly specific update. We actually are driven by making sure that the issues we find are addressed in a timely manner. We realize that certainly some IT managers desire a fixed schedule, but we think that the majority of our users are served by us getting the fixes out in a timely manner, when it makes sense.

You don't rate any of the vulnerabilities that you fix. Can you actually say which issue is considered the most severe?
Tribble: We don't do that. We don't, for example, say that these two are "critical" and the other ones are not critical. We don't do that, because we recommend that if we put out fixes in a security update, that you install them all. That's why we put them there.

One of the things we want to avoid is--say we started splitting hairs and calling some subset of them critical--I think we would end up with users eventually only installing the critical fixes, when we actually think that they should all be installed.

When you compare your security alerts with Microsoft's, for example, then you have less information in your alerts. Is that intentional?
Tribble: I am not sure we actually have less information. We describe the fixes, and we relate them to which components are being fixed. We have CVE (Common Vulnerabilities and Exposures) ID numbers, and we thank the people who submitted them. I think the actual content is pretty similar.

It is a big change that you're actually talking to the media about security. Is this part of a bigger change around Apple communicating its security updates?
Tribble: We feel like we have a very proactive approach to security and engineering and marketing and responding to these things. Communicating with you is just part of that.

You used to not talk about your updates at all. Now you are, is that part of a bigger change? Or is this the only change we're going to see?
Tribble: It is probably not true that we've never talked about things. I think that talking about these things and communicating is part of our overall approach to security.

More Newsmakers

[Earl Benser]

Not exactly news....

.... It must be a dull morning at CNET.

[BruceLawrence]

How common is your reply?

Every report or at least 90% of the reports that talk about the Mac or OSX anything regarding the Apple that may be bad PR, there always seems to be someone who has this compelling urge to call it "not news". Why do I even feel compelled to reply to you?

'must be a dull morning...' 'must be a slow day...' etc

Half the time they say this when the top of the page says "BLOG".

If this wasn't news then why did the guy from Apple even show up?

[MikeyT5663]

I'm glad that Apple is doing this

Well I am glad that Apple is taking care of this and staying on top
of things. Whenever I see that there is a new security update I am
comforted that the company that I trust actually cares about the
products it manufactures, a company that is even willing to offer
secure systems with free security updates. Other companies do not
do this, some even charge you 50 dollars a year to do that.....

[schlegelmc]

Apple's [over exaggerated by news.com] security troubles

news.com is my homepage. It's been so for over 6 years. So, I can
say with the benefit of familiarity that this is one of those issues
that news.com is beating to death so will generate some real news.
I've seen them do it before--keep pounding at an issue so long
that some real news happens due to their pounding.

So, OK already. Tribble has granted news.com an interview to
discuss Mac OS X security. Great. Finally, some real news. Good
work, I guess.

[l.evans]

same questions

...yes, shame once they had him sat down and willing to talk they
didn't ask him more than one question, over and over and over
again...

[stealt403]

only exaggerated a little

I think news.com exaggerates the apple threats a little bit, but they are really just pointing out that apples OS is not perfect (don't tell an apple user that unless you want to get stabbed or argue for hours on end)and that it has some problems too, though not as numerous as XP.

[jwarren.carroll]

Puppet Masters

The first couple of these stories were rather amusing to watch the tidal wave of argumentative comments. I participated at first, but quickly realized the pointless nature of the entire tirade.

I understand that you all care what computer you use, but is it really worth it to worry about what computer your neighbor uses. This is like the very US argument between Ford and Chevy. Be it Mac, Linux, PC, or whatever else you choose, they all have pros and cons.

I do get the feeling though that there are a group of C|net guys laughing themselves to death by reading these posts. They are pulling our strings to get a response from us, because arguments generate hits.

C|net has some carnies working for them. They will guess your weight, give you balloons, feed you cotton candy, but at the end of the day they only care about one thing. These guys need the carnival to keep going, and they will do whatever it takes to make that happen.

I am a PC user, but I will have to admit that this issue is getting pretty old, as is the debate over who's computer is "Cooler". So argue away if you will, yell and scream, but you are just a sad form of entertainment to some guys who have run out of original material.

[stealt403]

Funny you should post and degrade other posters

I for one am not trying to impress CNet's staff with my posts. If I want to comment on a story I will and don't think "Will CNet staff think I'm cool if I post?"
A business promoting a sensational idea/story/product to increase sales or hits? CNet is truly a pioneer. This must be the first time anything like this has happened.

I do agree that Mac v PC debates on Cnet are getting old. But then again, here I am.

[scweezil]

Why come here & post?

If you didn't care...you wouldn't be here. It's called keeping them
honest. Seems this sight has plenty of issues with that.

[M C]

CNet, try and find SOME professionalism.

"So the answer is no."

Keep your sarcasm to yourself. I know Apple = page views for CNet, but the whole adversarial thing makes you look like a troll. Seriously.

[jmanico]

joke article

What a joke - this is the biggest puppet master story I have ever seen. What is happening to you, CNET?

[regan2]

the best part is..

the best is that the interviewer acts like Apple really even has a
segment of the IT business anyways.

what, so like three dudes are mad because it's not on a "schedule"?

[swift2--2008]

Agenda-Driven Drivel

The interviewer desperately wants to suggest that Apple
"should" put its security updates on a schedule, like Microsoft's,
and that "IT managers" are demanding it. Who? Why? Why is it
"better"? Because Microsoft was forced to do it by the blizzard of
viruses and Trojans on their platform? Why not just fix the
problems, or potential problems, as they come up? Is Apple
deficient for not doing things the "Microsoft Way"?

If C/Net has an agenda here, they should come out and say it.
Oh, wait a minute, they have. Windows good, Mac bad. They're
just waiting for worms and viruses on the Mac, and the "iPod
killer" they keep announcing like their Great White Hope, so they
can go back to ignoring the Mac like they want to.

[kxmmxk]

exactly

A schedule isn't better. First it implies you have issues to fix every quarter (for example). MS clearly does, Apple doesn't. Second it means you won't get a fix sooner, no matter what. MS has more flaws to serious order of magnitude than the 2 Apple has. And most of MS flaws are not revealed unless they have a fix or someone else finds it and brings it up. They no about so many issues that they don't even tell people. Do people really think their regular security updates are fixing every problem known about?

As far as the recent flaws, the one with someone breaking into a Mac Mini was actually a situation where they had been given a legitimate account on the system first. The experiment was reproduced with no one having local accounts and no one was able to break in. Basic security says to limit access to your system through various methods.

But so much has been made about MS lack of security that they and theirs want to make a big deal of a little mole hill next to their mountain.

[bemenaker]

Explain to me how you get your "agenda"

I don't see it. But one thing I do see, and other posters here have agreed with, is that Tribble didn't answer the questions he was asked. There are three or four serious questions there, where all Tribble did was dribble pointless babble out without saying a thing. It's like listening to a politician speak. You hear lots of words, but where is the content?

[open-mind]

To Each His Own

A variable update schedule is better if you have a small number of updates. A regular update schedule is better if you have a large number of updates.

If Apple used Microsoft's approach, their users would have to wait longer to get the update, so it would not be as good.

If Microsoft used Apple's approach, they would be releasing updates every day which their customers would hate, so it would not be as good.

Microsoft's approach is better for Microsoft's customers.

Apple's approach is better for Apple's customers.

I think it's unfortunate the author doesn't seem to *get* that, and it's unfortunate that Tribble didn't *say* that.

[bmelnick]

Message has been deleted.

[Terry Murphy]

The ultimate security challenge?

Apple's "security troubles!?"

What security troubles? lol Frankly, this was a pretty boring
interview, and when you think about it, that's actually a great
thing. In reality, poor Tribble (no trouble with this Tribble) is a
reminder of the famous "Maytag repairman," who sat at his desk
and watched the clock all day, waiting for the call when his
services are truly needed. Every once in awhile the phone would
ring, but it was always just another false alarm. The "loneliest
job in the world." lol

Well, not to belabor the point, as MS Window's fanatics will never
get it anyway, so here's my little security challenge to any and all
MS Windows slaves:

Ready? I will turn off my OS X 10.4 installed firewall for one
week. You in turn will turn off your XP SP2 installed firewall and/
or any other 3rd party firewalls you have installed. (I have no 3rd
party firewall installed.) You will disable all anti-virus, et al.
software on your machine. (I have no anti-virus, et al software
installed.) Then, for a period of one week, surf the net. And what
I mean by surf is: go nuts! Download anything! Visit any site you
wish. No need to keep a record of where you've been because it
really doesn't matter.

After a week, let's see what condition your XP box is in
compared to my OS X box.

Any takers? lol

[CBSTV]

"security troubles"?

Have any OS X users experienced security problems?

[scweezil]

Scheduled MS Security Fixes

MS scheduled security fixes are a PR job. It contained the story
of how many problems they actually have. Remember when
stories were being released on an almost daily basis about
security issues with Windows? They were patching them as they
happened & not doing a very good job of that. Thus the
schedule. Now the security PR issues are pretty much contained
but not the actual security issue. On a schedule tells me that
they have plenty of issues that they know about & can not
possibly fix in a reasonable amount of time. Instead of fixing
them as they occur. There is probably a huge backlog. PR job all
the way. If an IT person needs a schedule they could have easily
done this themselves by downloading the patches once a month.
Why is it necessary for MS to provide them with this so called
better way. Makes absolutely no sense.

[BruceLawrence]

It's not better for MS, its better for us

When I say "us" I mean network administrators and corporations. Having them on a schedule makes our jobs so much easier in many ways.

The impact of randomly throwing updates out there can cause a serious disruption especially if the systems need to be rebooted afterwards. Especially if systems are running company machines and equipment.

MS has the most robust, flexible and stable way of deploying updates I have seen from any product. Probably because they've had tons of practice hehe. Really though, their mechanism for deploying updates works beautifully IMO.

Saying you're proactive is a good thing but when your updates become more frequent, users tend to get edgy.

The point of this article was to find out if more and more updates are expected from Apple at random times. If their updates become more frequent, I wouldn't be suprised if they take a scheduled type approach to deploying them.

[samis]

patches on a schedule

The reason Microsoft releases patches on a schedule is it was a request from large companies (where Windows is much more prevalent than Macs). It is not a PR job but rather companies needed to have some sense of when a patch would be released so they would have time to test it and make sure it didn't disrupt their users. And by the way, *every* OS has its security problems. These are made more apparent when the OS is more popular because its popularity provides a bigger payoff for hackers. So don't get any illusions. If OS/X had the same market share as Windows Apple would be busy releasing patches every week too. I'm a long time Unix hacker so don't give me all that crap about how OS/X is inherently more secure. Please.