backtop


Print 65 comment(s) - last by djtechsupport.. on Aug 6 at 2:05 PM


A recent Secunia study indicated that Apple had the most vulnerabilities of the major tech companies  (Source: Secunia)

Apple's Safari browser happily will fill in your personal info to malicious web forms. This glaring flaw can lead to an unacceptable breach of privacy.  (Source: Jeremiah Grossman)
"It just works." -- Apple slogan

Apple is known for its tendency to deny problems with its popular gadgets, making life miserable for customers when such problems occur.  While Apple's iPhone 4 antenna issues are currently stealing the show, there's perhaps no better example overall than Apple's spotty track record on security.

Security research firm Secunia just released a list of vulnerabilities and Apple for the first has come out on top as the most vulnerable.  Secunia warns, "[The] graph is not an indication of the individual vendors’ security, as it is not possible to compare the vendors based on number of vulnerabilities alone."

Apple's supporters were quick to attack the report.  
AppleInsider writes:

Not all vulnerabilities are equal: Secunia outlines five levels of criticality ranging from minor "not critical" issues to "extremely critical" problems that can result in remote exploits without any interaction from the user, and for which active exploits are already known to exist. Yet Secunia's vulnerability report totals throw all these various types of flaws together into sums that are frequently used for meaningless comparison purposes. 

It's ironic that almost simultaneous to the report another significant security flaw in Safari aired.  Safari -- Apple's browser software -- has oft seen releases so buggy to the point that they were unusable.  Safari 5 certainly offered some improvements in that department, but it apparently doesn't fair particularly better in the security department than past releases, including Safari 4 which had a flaw so severe it prompted a Department Homeland Security warning.

While the latest Safari bug isn't as bad an exploit as some go, considering it's not a route to installing malware, it can result in the theft of your personal info.  It all starts with one of Apple's features in Safari -- autofill.  Different from the standard browser's autofill, which remembers users names and passwords for certain sites, Safari has an even more ambitious autofill which maintains info about a user in their address book card and offers up these details when needed.

Unfortunately, Apple didn't appear to realize that it was necessary to screen what it allows to access this data.  Security researchers revealed that a simple web form can grab much of this data -- first name, last name, work place, city, state, and email address -- no questions asked.

Such info could be used in phishing schemes.  It could also be used in blackmail schemes if the users were visiting naughty websites.  Ultimately, it represents a gross threat to privacy that easily surpasses Apple's recent loss of iPad buyers' email addresses (a problem that was largely carrier AT&T's fault).  Apple was informed of the problem on June 17, 2010, but since has done nothing.

The flaw was discovered by Jeremiah Grossman, founder of WhiteHat Security.

Security problems are hardly something new for Apple though.  The iPhone has increasingly been attacked.  One security researcher suggested its security was so poor that it was "useless" to businesses.  Apple has made some improvements with each release of its iPhone OS, but they didn't stop malicious worms from cropping up in the iPhone 3GS generation.

On the computer side, Apple also has had numerous past issues.  Its weak memory protections in its past two operating systems -- Tiger and Snow Leopard -- have spawned a number of successful attacks.  Worse yet Apple's latest OS -- Snow Leopard -- shipped with an outdated vulnerable version of Adobe Flash.

Apple has made some gains -- its new OS does come with mild antivirus protections (though Apple quietly recommends users purchase dedicated AV software).  And the OS does offer working DEP (data execution prevention), though it ships with a virtually broken address space layout randomization (ASLR) implementation (which rival Microsoft's Windows 7 flawlessly implements).

Ultimately, though what is really killing Apple is its slow patch time.  Apple's "there is no problem" mentality has made it the slowest company at patching, according to recent surveys.  It took it a year to finally last year (June) patch a major Java hole.  Unfortunately, such performance is more the rule than the exception to it.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

Apple has no clue how to make anything secure.
By Motoman on 7/23/2010 10:45:55 AM , Rating: 5
...and why would they? They've persisted to this point on the "security by obscurity" program...they never had to worry about how secure their products were, because no one would bother to attack an insignificant player like them.

But now that people are scrutinizing their products (despite the fact that, at ~4% of the computer market, they're still an insignificant player), it's obvious that they have no clue what they're doing.

In the end, it will make no difference. Macolytes will continue to buy and use Apple products no matter what - people with brains in their heads will just look at the Macolytes and wonder what the eff they are thinking.




By mircea on 7/23/2010 11:08:18 AM , Rating: 3
With time they might loose all these loyal buyers, if people can so easily get their data stolen which can result in stolen bank account info and then stolen money.

How can they afford a Mac when their wallets are emptied by Mac figuratively AND literally.


RE: Apple has no clue how to make anything secure.
By mstrmac on 7/25/2010 1:56:04 AM , Rating: 1
With the latest iterations of OS X, Apple has introduced many initiatives to prevent security issues. One of the most interesting is known as address space layout randomization (ASLR) which is more commonly known as memory randomization. ASLR is important because it makes one of the most common security issues, the buffer overflow, almost impossible to exploit.

For those of you who don’t understand it, think of it this way. Imagine the memory of your computer like a map of your hometown. Some vandal wants to change some of the street names to mess with your map. In order for him to do that, he needs to know the exact longitude and latitude of those streets. It’s easy for him because he can buy a map of your hometown and get that same information.

The latest version of OS X chops that map up into little squares and randomly rearranges them, but is also smart enough to know how to continue reading the map unhindered by the confusing rearrangement. Nobody is able to buy a map arranged exactly like that so nobody can get the exact information they need to vandalize your map. It doesn’t mean they can’t. They just can’t quite zero in on exact targets anymore.
On top of that, OS X also offers tagged downloading of applications (a system that watches very closely what gets downloaded and run on your computer and alerts the user before it runs for the first time), stronger forms of built-in encryption, more robust firewall features that watch for malware-like activity and application sandboxing to prevent hackers from targeting program-specific vulnerabilities.

Now, I’m not naive. I have no doubt that OS X will eventually have security issues that result in some kind of malware. No system is perfect and no amount of operating system cheerleading will change that. Someday, we’ll see the first OS X virus. However, I’m confident that these problems will never approach anything like what we’ve seen on Windows, and there’s little reason to think Apple’s gradually increasing market share will change that.

What’s funny about the market share argument too is that it really doesn’t even apply to the Mac to begin with as it assumes the Mac is a platform unto itself. That was true in the old days, but the Mac doesn’t run OS 9 anymore. It’s OS X, and OS X is, underneath the pretty user interface, Unix. There are lots and lots of Unix (or Unix-like, if that makes you Linux fans happy) machines out there and they’re all running the same or similar software under the hood and all have similarities in how they operate and are structured. In that sense, OS X is part of a much bigger market. And yet, I don’t see a whole lot to worry about from the Unix side of OS X either. We’ve seen a few security issues pop up (like the ssh thing a while back) but nothing that has exploded into a major virus outbreak.
One thing that may explain the differences between Unix-like platforms and Windows is the nature of the software that runs on each platform. Much of the software running under-the-hood on Macs is open source. That means anyone, including you and me, can download and look over the source code. When you have lots of programmers looking over the code, security issues can be spotted before they become a headache. This leads to proactive software patching as opposed to reactive—that is, patching after the viruses and malware are running rampant. Windows is closed-source, proprietary software and does not benefit from countless numbers of programmers and hackers viewing its code. In some unfortunate instances, security issues become known only after they have turned into viruses boring holes in your computer’s brain.


RE: Apple has no clue how to make anything secure.
By marraco on 7/25/2010 12:12:18 PM , Rating: 4
What a load of lies.

Nothing is farest of open source than anything from apple.

Try to get the source code of OSX.


By marraco on 7/25/2010 12:20:41 PM , Rating: 2
Apple is enemy of open source.

Each apple magazine have at least one article attacking open source as "mischievous", "risky", or non worthy, but never explains why.

Apple is enemy of all civil liberties. It says what software you can install on his phones, what music you can hear, and is trying to decide what newspapers you can read.


By afkrotch on 7/25/2010 9:18:54 PM , Rating: 3
ASLR is broken on OSX dumbass. Even the article states such.


"The whole principle [of censorship] is wrong. It's like demanding that grown men live on skim milk because the baby can't have steak." -- Robert Heinlein














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki