[ISN] Apple Makes Its Case for Security

InfoSec News isn at c4i.org
Tue Jun 15 01:52:50 EDT 2004


http://www.wired.com/news/mac/0,2125,63805,00.html

By Leander Kahney
June 14, 2004

Apple is a famously secretive company. Its hush-hush culture makes it
impossible for employees to talk about their work, even with spouses
or family members.

This may help keep new products a surprise, but it has a downside: In
the past few weeks widely publicized security holes in OS X were
discussed everywhere and by everyone, except Apple.

For several weeks, many users felt they were being kept in the dark.  
And when Apple finally issued a fix -- two actually, a couple of weeks
apart -- users complained they had no idea of what was being fixed or
how. Descriptions of the updates were scant, bordering on meaningless.

But security is very important to Apple. It's one of the key perceived
differences between OS X and Windows, which is constantly battling
viruses, worms and spyware.

So this week Apple executives worked overtime talking to the press.  
The message is that Apple takes security very, very seriously, and the
company has learned an important lesson in communicating about
security issues with its customers.

Ken Bereskin, Apple's director of Mac OS X product marketing, said
that Apple was stung by recent criticism that the company didn't
communicate in detail about security updates. He admitted descriptions
of patches downloaded automatically in OS X's Software Update
mechanism tended to be simplistic.

"We think it was very, very valid feedback that we received from
customers," Bereskin said. "We've had a wealth of information, but
people haven't known it existed." Detailed information is available at
the company's security website, and even some security companies
aren't aware of it, Bereskin said.

Starting with the latest security update, Apple now includes a link to
its security website, Bereskin said.

"We've actually acted on that feedback," he said. "I think that is an
example that very much we want to refine our process."

Bereskin added, "In general, we feel we've been approaching security
in a really smart way. Nothing can be perfect. I think everybody
acknowledges that, but we're trying to make it as safe and trustworthy
for our customers as possible."

According to Bereskin, Apple has issued 44 security updates since Mac
OS X was introduced in March 2001, and 3 percent of those were
classified critical -- a vulnerability that can be exploited remotely.  
The Help Viewer and Disk vulnerabilities are examples. By comparison,
Microsoft issued 78 security updates in the same period, and 65
percent were critical, Bereskin noted.

"Certainly no single operating system can be completely secure from
all threats, but most people we talk to, most of the security experts
we work with closely, agree that because Mac OS X has a Unix BSD core,
it lands up being more secure than other platforms, certainly more
than Microsoft," Bereskin said.

BSD Unix -- Berkeley Software Distribution -- is a version of Unix
developed in the 1970s. Designed from the outset as a network
operating system, it has widely tested, refined and patched over 30
years.

Peter Kastner, chief research officer at Aberdeen Group, said the
storm in the Mac community about OS X security was overblown. "I think
there have been huge overreactions," he said. "Every complex piece of
software has vulnerabilities, that's a fact of life 
 but OS X is
good, strong Unix."

Kastner said the criticism that Apple issued two separate fixes for
related holes -– the Help Viewer and Disk vulnerabilities -- is
unwarranted. He guessed that Apple may have fixed the easiest problem
first and patched the more complex issue later.

"As an ex-programmer I have a lot of sympathy for the Apple
programmers who are being asked 'When is it going to be done?' OS X is
a hugely complicated thing. You don't want to put new bugs in the
system."

Ray Wagner, a research director with market research group Gartner,
also thought the fuss was overblown.

"I think Apple's customer communication around vulnerability patching
and their automatic update service is quite reasonable, useful, and
convenient for the end user," he said. "Most of the concerns have been
around communication with developers and security practitioners,
rather than end users."

Ngozi Pole is systems administrator for Sen. Edward Kennedy
(D-Massachusetts), whose office runs the only Mac operation on Capitol
Hill. Pole administers about 60 Macs and a couple of PCs.

"(The Senate) got hit pretty hard by a worm recently," he said. "When
that happened they had to shut a lot of computers down to isolate the
problem. Kennedy's office was functioning normally during that time.

OS X is just not as vulnerable as Windows."

Pole said Kennedy's office is moving to a new, centralized OS X file
server, and he is impressed with all the Unix security tools he will
be able to use.

"We're taking advantage of all the Unix stuff," he said. "We're very
impressed with the Unix tools that can run from command line."





More information about the ISN mailing list