From: Aron Roberts (aron@socrates.berkeley.edu)
Date: Wed May 23 2001 - 16:25:28 PDT
In a May 1, 2001 Business Week column (see below for excerpts), the
author lambasted Apple Computer for being slow to set up the type of
security response infrastructure for Mac OS X that other Unix
operating system vendors, such as Sun and Red Hat, have long provided.
At least as of today, however, Apple has gone to the extent of:
- Providing an e-mail address and toll-free phone numbers for
reporting security incidents involving its products.
- Setting up an Apple Security-Announce mailing list.
- Offering update releases that address the CERT-identified
vulnerability mentioned in this Business Week article, as
well as two other known security issues in Mac OS X.
For more information about the above, see:
"Apple Product Security"
http://www.apple.com/support/security/security.html
"Security Updates"
http://www.apple.com/support/security/security_updates.html
In contrast to some other Unix vendors, however, Apple notes on its
Security Updates page that "for the protection of our customers,
Apple does not disclose, discuss or confirm security issues until a
full investigation has occurred and any necessary patches or releases
are available."
In addition, it remains to be seen how active Apple will be in
responding to incident reports and in informing customers of
available patches or new releases. However, it is encouraging to see
that Apple has begun taking the initial steps toward meeting its
security-related responsibilities in supporting Mac OS X.
Aron Roberts
Workstation Software Support Group
---------------------------------------------------------------
For Mac Users, the End of Innocence
Alex Salkever
Business Week
May 1, 2001
http://www.businessweek.com/bwdaily/dnflash/apr2001/nf2001051_727.htm
Excerpts:
Steve Jobs proudly boasts Apple will soon be the largest seller of
Unix-based operating systems in the world due to the expected
widespread adoption of OS X. But the company has yet to take basic
steps to set up the kinds of monitoring-and-reporting systems needed
to ensure continued security for Mac users. "OS X has the potential
of being one of the biggest security liabilities on the Internet,"
says Preston Norvell, a network-security expert and member of the
professional group Macsecurity.org. ...
For starters, there's no security destination for OS X users on
Apple's Web site. Nor does Apple operate a security mailing list to
notify users of potential weaknesses and patches they could apply to
lock down their systems. Microsoft, Sun, and Red Hat all maintain
security mailing lists and security destinations.
Apple also has failed to provide a way for programmers or others to
notify the company of new security flaws. "There is currently no
known e-mail address, or drop box of any sort, to notify Apple of a
potential or confirmed security problem in any of their products,"
Norvell says. ...
Furthermore, Apple hasn't shown any indication that it has assigned
dedicated staff to tackle security issues and writing patches. A key
component of security for any serious OS is a team of experienced
code writers that can quickly evaluate threats, assess the damage
potential, and inform customers. Such a dedicated response team is
particularly crucial with Unix products.
... according to Norvell, [TidBITS' Adam] Engst, and others, Apple
has been slow to respond to CERT advisories, often taking months to
patch big holes. And Apple has so far failed to respond to the first
CERT advisory, released on Apr. 10, that could affect OS X -- a
warning about a flaw in the Free BSD software platform that was used
to develop the operating system. ... That's symptomatic of a largely
secretive Apple culture, which is still coming to grips with its
shift into the far more transparent Unix world.
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about MAGNet, its meetings and events, and its
mailing list, including information on subscribing and unsubscribing,
see the MAGNet Web site at <URL:http://mac.berkeley.edu/help/magnet/>.
This archive was generated by hypermail 2b29 : Wed May 23 2001 - 16:26:02 PDT