Apple Continues To Slip On The Security Front [UPDATED]

Apple has been taking a bunch of hits lately on a variety of fronts. MobileMe and iPhone availability are the ones that people are generating the most noise about. But the security front is where Apple is really dropping the ball. Take for example a very nasty DNS exploit that most computer companies rushed to fix earlier this month. As I write this it is still not fixed in Apple’s OS X Server or desktop products. This has led to a storm of criticism from all over hell’s half acre. All of it well deserved in my opinion. Oh yeah, then there’s that exploit that I discussed a few weeks back which is still not fixed. After all it’s been a month since this issue was reported and exploits started to appear. Are they perhaps waiting for something really bad to happen?

I’ve previously written that Apple has been slow relative to others (Namely Microsoft) to fix security issues. But given how critical the DNS exploit is, Apple should be responding better than this (considering that Microsoft responded to this issue within days). Apple wants to get into the enterprise space to start displacing Windows machines, but to do that they have to prove that they take security seriously. From what I see, they are paying nothing more than lip service to that. Either that or the reality distortion field is distorting any sort of common sense for them.

Your move Apple. Prove to users that you take security seriously.

UPDATE: A comment that I received seems to think that I am “a little off the mark” as according to the poster flaws in Mac OS X aren’t exploited as fast as ones for Windows. A couple of thoughts on this:

  1. Relying on the fact that flaws in whatever OS you’re using aren’t exploited quickly isn’t a great way to ensure that you’re secure. Vendors, and end users need to work together to ensure issues are patched up in a timely fashion. Basically, vendors have to put out patches as quickly as possible, and users have to apply them when they appear.
  2. There are exploits available that take advantage of the DNS flaw out there today. So while Windows users, LINUX users and many other users who have implemented their vendors DNS patches likely have nothing to worry about, Mac users appear to be vulnerable. The thing that makes Apple’s lack of a fix puzzling is that Mac OS X servers use BIND, one of the most popular DNS implementations. Patches for BIND were available as soon as the initial alert was published. So fixing this ought to be an easy enough job, but Apple is yet to get around to it. What’s up with that?
  3. There are exploits that take advantage of the issue that appeared within days of the flaw being discovered. Like this one that I wrote about previously.

So from my perspective, these flaws are being exploited pretty quickly. Which means that Apple needs to deal with them just as fast.

4 Responses to “Apple Continues To Slip On The Security Front [UPDATED]”

  1. I have to ask, isn’t the DNS problem a flaw? Isn’t the software that is used to exploit that DNS flaw an exploit? Have any computers using OS X ever been compromised in the wild using this DNS flaw?

    A PC using Windows XP without anti-virus software still lasts only minutes on the internet before becoming hopelessly infected. A PC using Mac OS X is still not infected for going on 8 years.

    Perhaps Windows OS flaws need to be addressed more urgently than Mac OS flaws. Patch Windows ASAP, Macs can be patched during the next OS update.

    Your sense of urgency is based on your experience with Windows flaws and their rapid exploitation. When you apply that urgency to the Mac OS you are a little off the mark.

  2. Peter da Silva Says:

    The exploit impacts recursive name servers. Apple’s market is the desktop. Desktops don’t run recursive name servers. This is not to justify their lack of response, but it may explain it.

    Apple vs Microsoft?

    The longest I’ve known Apple to go without fixing a security flaw is three years.

    Microsoft is currently 10+ years without fixing the design of IE and ActiveX. They’re also refusing to fix the flaw in IE exposed by the Safari “carpet bomb” attack… yes, “carpet bomb” was a bug, but without IE it would be no more than a DOS, and there are other ways to exploit the IE Desktop vulnerability.

    As an aside to the ARDAgent flaw… I have never used Apple Remote Desktop and am unable to reproduce any of the attacks. It seems that if you haven’t run ARDAgent it’s not registered in Applescript. I haven’t seen mention of this online, other than my own comments… has nobody else ever tried it on a “Virgin” Mac?

  3. “The exploit impacts recursive name servers. Apple’s market is the desktop. Desktops don’t run recursive name servers. This is not to justify their lack of response, but it may explain it.”

    OS X Server however DOES run recursive name servers, so if you run an OS X server in your environment, you’re at risk.

  4. Tom Dixon Says:

    Yeah, let me know when I have to start running antivirus software on my Mac.

Leave a Reply

%d bloggers like this: