Thursday, June 14, 2007

Warp Power to the Apple PR Spin Machine

Ryan Singel has a great article over at Wired about the ongoing Apple Safari shenanigans. It covers most of the angles and the main topics, including the vulnerability that David Maynor is holding privately for the iPhone.
"Apple is using the research community as their (quality assurance) department, which makes me not want to report bugs," he said. "If they aren't going to run these tools, why should I run them and report them?"
At the end of the article is a classic example of vendor spin applied to reported vulnerabilities.
Apple was not immediately available for detailed comment, but a spokesperson pointed out that the Safari browser relies on an open-source browser engine that has been well tested and used by companies like Nokia.
Is Apple attempting to overload the blame onto the open-source browser engine? Open source software is not bug free...Apple knows this. Name dropping is also a slick PR trick that rarely works. Is Apple suggesting that Nokia is some type of super vulnerability free powerhouse? How many companies that "use" products are truly testing it for security vulnerabilities?

I once had a vendor tell me that their product is used by the DoD, right after I reported a security vulnerability to them....in my mind, I automatically responded with "So?".

So where is the Apple's comment on why they didn't run public fuzzing tools against software they are releasing? Were they asleep during the Month of Browser Bugs? Seriously...

Apple is acting like the old Microsoft and they are getting away with it because they have a small market share and their software is not commonly (if ever) used for business critical processes.

This is summed up well by quotes from Jeff Moss and
Dino Dai Zovi -
"They are vulnerable like anyone else, but they are still controlled by marketing campaigns," said Moss. "Their approach will change -- but when will it change?"

"They are going to have to deal with a lot more vulnerability reports," Dai Zovi said. "Just like Microsoft, once the public perception of security impacts sales, Apple will most likely step it up."
Apple has been getting away with this out-dated security policy for too long...it is time they catch up to the rest of the world on how to deal with security issues.

Apple wants to be a big player in the game....and they want to stand out from the rest of the pack.

Right now, they are standing out for all the wrong reasons.

No comments:

Post a Comment