Security Watch : Don't get burned by viruses and hackers
By Robert Vamosi
Senior editor, CNET Reviews
June 18, 2007
Apple excels in creative and innovative marketing. Often it's what they don't tell you that creates the most buzz. For example, we know next to nothing about the Apple iPhone. We know little about the new Leopard release of Mac OS X. Both have generated a lot of press, and so far the hype has succeeded in distracting everyone from a very real concern: the overall security of each. When you strip away all the creative marketing, when you take away the Steve Jobs' induced hype, what you have is a new mobile phone based around an operating system that is just as vulnerable as the next one. Trouble is, Apple isn't being as forthcoming about security as other vendors.
The naked iPhone
For the moment, iPhone will be running a version of the current Mac OS 10.4; in the fall, Apple will presumably upgrade its phones to the newer Mac OS 10.5. So far, the company seems to be rolling out a series of patches, one a month for last year or so, which is good. Apple might, however, want to follow Microsoft's lead and standardize its releases to the second Tuesday of each month.
While the point of a beta is to ferret out the bugs on a variety of different machines before it goes final, some of the flaws disclosed in Safari this week were pretty easy to find.
When flaws are patched, Apple often does not acknowledge the researchers who actually brought the vulnerability to its attention. Apple is known to be looking for more security researchers. It's not an ego thing; by working with the vendor to correct the vulnerability, researchers put in long hours, usually without compensation. A public "thank you" is more than enough. But that hasn't happened.
Shoot the messenger, why don't you?
Instead, Apple has created history of attacking security researchers. Last summer, during BlackHat USA, security researchers David Maynor and Johnny Cache disclosed a wireless vulnerability using an Apple Computer Macbook. The team found that malformed network traffic could allow the laptop to be compromised, and they provided a video of the attack.The researchers did use a third-party wireless card for their video demonstration, but said repeatedly that the Apple Airport wireless driver was also vulnerable.
Apple should stop attacking the messengers--the researchers--and change, as did Microsoft, by working with them.
After BlackHat, Apple rebuked Maynor's employer, saying "despite SecureWorks being quoted saying the Mac is threatened, they have provided no evidence that it is." Apple orchestrated media attention toward third-party wireless device drivers, which is fine because those drivers were patched quickly. Two months after BlackHat, Apple quietly released a patch, which, if the vulnerability that was fixed had been exploited, could have compromised the Airport wireless drivers in Macbooks. Apple forgot to mention David Maynor and Johnny Cache.
Reap the seeds that have been sown?
Ironically, it was another Apple vulnerability that put David Maynor in the news again this week. He was one of three independent security researchers who disclosed vulnerabilities within the new Safari 3*** for Windows beta. Some of the flaws exist on the Mac OS as well. While the point of a beta is to ferret out the bugs on a variety of different machines before it goes final, some of the flaws disclosed in Safari this week were pretty easy to find. In other words, Apple could have found these vulnerabilities themselves during various alpha builds.
Rather than work quietly with the vendor, Maynor and the others made their findings public. A few weeks ago, I interviewed security researcher Chris Soghoian who pointed out that disclosing an Apple vulnerability is almost a guarantee of a lawsuit. Instead, many security researchers would rather find a fault with another vendor. On the other hand, Maynor is rumored to have another Safari exploit primed and ready, one that works on both the Windows and Mac OS versions of Safari. It's ready to go once he gets his hands on an iPhone.