[Infowarrior] - Apple security is 'struggling,' researcher says

Richard Forno rforno at infowarrior.org
Tue Jun 9 12:51:01 UTC 2009 

(Rich knows his stuff.....-rf)

Apple security is 'struggling,' researcher says

Laments lack of 'formal security program'

By Dan Goodin in San Francisco r

Posted in Anti-Virus, 9th June 2009 00:52 GMT

http://www.theregister.co.uk/2009/06/09/apple_security_suggestions/

A well-known security consultant says Apple is struggling to  
effectively protect its users against malware and other online threats  
and suggests executives improve by adopting a secure development  
lifecycle to design its growing roster of products.

"Based on a variety of sources, we know that Apple does not have a  
formal security program, and as such fails to catch vulnerabilities  
that would otherwise be prevented before product releases," writes  
Rich Mogull, founder of security firm Securosis and a self-described  
owner of seven Macs. "To address this lack, Apple should integrate  
secure software development into all internal development efforts."

Microsoft was among the first companies to integrate an SDL into its  
internal development routine. Under the program, products are built  
from the ground up with security in mind, so that poorly written  
sections of older code are replaced with code that can better  
withstand attack. It also subjects programs to a variety of simulated  
attacks. Adobe Systems recently beefed up the SDL program for Reader  
and Acrobat following criticism about the security of those two  
programs.

Mogull's suggestion was one of five he made recently to ensure company  
is doing everything it should to safeguard its customers.

"It's clear that that Apple considers security important, but that the  
company also struggles to execute effectively when faced with security  
challenges," he writes in a recent article on Mac news website  
Tidbits. He goes on to fault the company for its ongoing failure to  
patch a gaping security hole in Mac versions of Java.

The suggestions came as Apple on Monday announced Safari 4.0, a  
release that fixes more than 50 vulnerabilities in the browser.  
Protection against clickjacking attacks, denial-of-service flaws and  
bugs that allow for remote code execution were among the fare.

Another suggestion from Mogull is that Apple appoint and empower a  
high-ranking executive to oversee security in all Apple products. The  
CSO, or chief security officer, would serve as the public face for  
Apple security as well as the internal boss who coordinates the  
company's response to security incidents and development of new  
products that are safe.

"None of this will work if the CSO is merely a figurehead, and this  
must be an executive management position with the budget, staff, and  
authority to get the job done," Mogull says.

The researcher also called on Apple to complete work adding anti- 
exploitation technologies into OS X. While features such as  
sandboxing, library randomization, no-execute flags and stack  
protection are partially implemented now, "these implementations are  
either incomplete or flawed in ways that nearly eliminate their  
security advantages," Mogull says. (Fellow researcher Charlie Miller  
has said largely the same thing.)

Mogull's remaining two suggestions are:

     * Establish a security response team to manage communications  
between internal employees and external researchers reporting  
vulnerabilities in Apple products, and

     * Manage vulnerabilities in third-party software.

Apple has yet to respond to criticism about the vulnerable version of  
Java it continues to ship with its Macs. ®

More information about the Infowarrior mailing list