Monday, October 2, 2006

Apple Sliently Hurts its Users

As many of you know Johnny Cache and Dave were suppose to talk about the Apple Wifi device vulnerabilities at ToorCon 2006, but due to outside influence this didn't happen.

Johnny Cache did deliver a small speech however. It points out that Apple is saying one thing and doing another. Apple claims that SecureWorks provided no useful information, yet they release remote code execution wifi patches and are "working" with SecureWorks on something.

If Apple and SecureWorks were making a new cake recipe, they wouldn't get CERT/CC in the mix, do would they?

So what is Apple doing? They are doing exactly what they have always done.

Silenced those that might pull the veil for the Apple Faithful’s that he/she can see the truth. Am I implying that they have blinders on? I sure am...

Apple believes the public disclosure of security flaws doesn't help anyone. But I know tons of people in the Windows security management world that might strongly disagree if Microsoft held this position. So why the difference? Because Apple doesn't hold any ground in critical corporate infrastructure.

A serious Microsoft vulnerability can stop a company in its tracks. Do you think an OS X vulnerability would do that? No. Even if it was a remote code execution, reachable from the internet with an active Mac worm….it just isn’t going to have the impact that a serious Microsoft vulnerability will have.

Take this April 2006 vulnerability story as an example.

Tom Ferris, a security researcher in Mission Viejo, Calif., published late on Thursday information on seven flaws in Apple's operating system that potentially put Mac users at risk of a cyberattack. The most serious of the flaws could let attackers surreptitiously run malicious code on users' PCs, Ferris said in an interview via instant messaging.

"We're in the process of investigating and addressing them," Bud Tribble, Apple's vice president of software technology, told CNET "I think it is important to note that although these are potential vulnerabilities, there are no known exploits to them and they are not affecting customers today."

Five of the flaws identified by Ferris relate to how Mac OS handles various image file formats--including BMP, TIFF and GIF, according to his security advisories. Another flaw involves the way OS X decompresses Zip archives. Additionally, Ferris claims to have found several bugs in Apple's Safari browser.

"The image flaws are the scariest ones, giving an attacker multiple methods of compromising a host," Ferris said. "They can be exploited to execute arbitrary code very easily and were not hard to find."

Do you think this type of talk would work if Microsoft was pushing it? Of course not....because Microsoft knows better. They were once silent on vulnerabilities too...

Apple assumes that no one can exploit a vulnerability without a public exploit...which is just silly thinking.

The Apple faithful need to stop blindly accepting the information that is force feed to them from Apple HQ and just look at Apple's actions to see the truth.

But I guess ignorance is bliss...

No comments:

Post a Comment