Apple has been taking a bunch of hits lately on a variety of fronts. MobileMe and iPhone availability are the ones that people are generating the most noise about. But the security front is where Apple is really dropping the ball. Take for example a very nasty DNS exploit that most computer companies rushed to fix earlier this month. As I write this it is still not fixed in Apple’s OS X Server or desktop products. This has led to a storm of criticism from all over hell’s half acre. All of it well deserved in my opinion. Oh yeah, then there’s that ARDAgent.app exploit that I discussed a few weeks back which is still not fixed. After all it’s been a month since this issue was reported and exploits started to appear. Are they perhaps waiting for something really bad to happen?
I’ve previously written that Apple has been slow relative to others (Namely Microsoft) to fix security issues. But given how critical the DNS exploit is, Apple should be responding better than this (considering that Microsoft responded to this issue within days). Apple wants to get into the enterprise space to start displacing Windows machines, but to do that they have to prove that they take security seriously. From what I see, they are paying nothing more than lip service to that. Either that or the reality distortion field is distorting any sort of common sense for them.
Your move Apple. Prove to users that you take security seriously.
UPDATE: A comment that I received seems to think that I am “a little off the mark” as according to the poster flaws in Mac OS X aren’t exploited as fast as ones for Windows. A couple of thoughts on this:
- Relying on the fact that flaws in whatever OS you’re using aren’t exploited quickly isn’t a great way to ensure that you’re secure. Vendors, and end users need to work together to ensure issues are patched up in a timely fashion. Basically, vendors have to put out patches as quickly as possible, and users have to apply them when they appear.
- There are exploits available that take advantage of the DNS flaw out there today. So while Windows users, LINUX users and many other users who have implemented their vendors DNS patches likely have nothing to worry about, Mac users appear to be vulnerable. The thing that makes Apple’s lack of a fix puzzling is that Mac OS X servers use BIND, one of the most popular DNS implementations. Patches for BIND were available as soon as the initial alert was published. So fixing this ought to be an easy enough job, but Apple is yet to get around to it. What’s up with that?
- There are exploits that take advantage of the ARDAgent.app issue that appeared within days of the flaw being discovered. Like this one that I wrote about previously.
So from my perspective, these flaws are being exploited pretty quickly. Which means that Apple needs to deal with them just as fast.