When I read the headline about a security researcher who had published proof-of-concept code for a vulnerability, I was upset. To disseminate proof-of-concept code is to basically say, “Here is a way to attack computers for those of you who can’t figure out how to do it yourselves.” The analogy that comes to mind is to throw a gun on a playground and let kids figure out how to load it.
By the time I had finished reading the article, though, my attitude had changed.
The purpose of stunts such as this one is to embarrass a vendor into fixing problems and writing better software. The problem with that scheme is that even when it works exactly as planned, it is users who get hurt, not the vendor. A significant number of users just do not implement fixes when they are available. These people are the ones who suffer (along with all those innocent third parties who pay the price when the PCs belonging to inattentive users are compromised and added to a botnet).
What influenced my change of heart in this case was the fact that the vendor in question was Apple, which has been feckless on the topic of security for a long time. Apple gives people the false impression that they don’t have to worry about security if they use a Mac. And perhaps because the company is invested in fostering that impression, Apple is grossly negligent in fixing problems. The proof-of-concept code in this case is proof that Apple has not provided a fix for a vulnerability that was identified six months ago. There is no excuse for that.
Apple has exuberantly criticized Microsoft for the security vulnerabilities of its products. The fact is, though, that that criticism is grossly misplaced. For its part, Microsoft has been extremely disciplined in ignoring Apple’s advertisements.
The current Mac commercials specifically imply that Windows PCs are vulnerable to viruses and Macs are not. I can’t disagree that PCs are frequent victims of viruses and other attacks, but so are Macs. In fact, the first viruses targeted Macs. Apple itself recommended in December 2008 that users buy antivirus software. It quickly recanted that statement, though, presumably for marketing purposes.
It certainly could not have been for real security reasons. A ZDNet summary of 2007 vulnerabilities showed that there were five times more vulnerabilities for Mac OS than for all types of Windows PC operating systems.
How can Apple get away with this blatant disregard for security? Its advertising claims seem comparable to an automobile manufacturer implying that its cars are completely safe and its competitors’ cars are death traps, when we all know that all cars are inherently unsafe. Claims like those would surely draw the wrath of the Federal Trade Commission. Well, guess what: All commercial software has security vulnerabilities.
Why then is there no investigation of Apple’s security claims and inferences? Where is the FTC? The company’s turn-about on antivirus software should be a red flag to federal regulators. Here’s a company that was telling people that its products were secure, then briefly said they were not secure, and then said it had misspoken, and subsequently used the “Macs are safe” stance as a selling point, when in truth the only way they are safer is that Macs are less attractive to virus writers because there are so few of them. That is security through obscurity, which is always short-lived and a truly terrible security practice. Should Apple be allowed to make such claims? Billions of dollars are at stake, not to mention the public’s computing safety.
And so, much as I hate the concept of releasing proof-of concept code, I have to wonder whether this is what we need to make the public see how much they are at risk. The mainstream press really doesn’t cover Mac vulnerabilities, and Apple’s “it’s all good” talk seems to be winning the day. When I made a TV appearance to talk about the Conficker worm, I mentioned that there were five new Mac vulnerabilities announced the day before. Several people e-mailed the station to say that I was lying, since they had never heard of Macs having any problems. (By the way, the technical press isn’t much better in covering Mac vulnerabilities.)
I have come to the conclusion that either the FTC must investigate Apple’s advertising claims with regard to security, or people must begin releasing proof-of-concept code on a regular basis. European Union and Canadian regulators can certainly step in as well. With Apple selling more Macs, its attitude is putting more people at risk. And just to be clear, it is not that Apple’s software has security vulnerabilities that is the problem; all commercial software does. The problem is that Apple is grossly misleading people to believe otherwise.