TSP Quoted in eWeek: On Apple Security

I was queried yesterday by Nathan Eddy of eWeek about Apple's recent security patches. It's interesting that he was inquiring about these particular security patches, as they seemed quite run of the mill. The specific security fixes that he was inquiring about referred to Apple's Quicktime and iTunes programs.

Here's what I said in the article:

Michael Oh, founder of the Apple-specific, Boston-based company Tech Superpowers, said based on the support page for the QuickTime update, all of the vulnerabilities related to the idea that it is theoretically possible for a user to click on a URL, encoded in a certain way, and it may crash QuickTime or be used to execute a code.

“I wouldn’t say it’s a large threat for the average user, but it’s a common attack vector used by a lot of hackers sending out spam, so it’s a pretty common type of thing you see out there,” he said. He pointed out there are theoretical hacks that can happen on any number of platforms, and singled out Apple’s diligence in security issues.

“Apple has a pretty serious stance on security and addressing these issues,” he said. “They are very good at pushing these updates down to users—Apple simply sees those vulnerabilities, addresses them behind the scenes and then releases the updates."

Oh said the stuff that really gets mainstream media attention, such as viruses or Trojans, tends to be things that have a mechanism to propagate wildly—as the term "virus" suggests. “It’s important to mention that none of the vulnerabilities have any sort of mechanism to propagate like that,” he said. “That’s a really critical thing you should look at with a security patch."

When looking at security vulnerabilities - particularly ones that have been fixes, there are two critical things to look at: (1) how bad is the problem and what could a hacker have possibly done and (2) how quickly would the security issue be spread?

These critical questions are the same that you'd ask about a real virus like the recent H1N1 strain of the flu: How sick could you get; and how contagious is it?

To answer the first question, you could look at the Apple-published documents, but you can never completely believe what the manufacturers tell you. It's in their interest to obscure details and make you feel more secure by not telling you exactly how vulnerable your machine was before you applied the patches.

However, in most cases such as these patches, you can refer back to the CVE-ID's of the specific vulnerabilities to find out exactly how badly exposed your computer was. In this case, most of the vulnerabilities looked like they had been found in the lab - or at least they weren't being used in the wild by hackers (yet). So a few "white hat" hackers (those on "our" side of the hacking world) found the security issues and reported them to Apple, who published a fix without the vulnerability being found by the "black hat" hackers. At least that's my guess based on what I read from the CVE reports.

Even then, these reports don't tell you "how sick" your machine would become. They simply say that "arbitrary code" could have been executed on your machine, so it's a bit unclear exactly how bad a "hack" using these security issues would have been.

What is clear is that it's unlikely that these hacks could have spread very quickly. All of them depended on people clicking on URLs (links) in emails or web pages which had bad coded embedded in them. Combined with the Mac's inherent internal security, this method of infection makes it very unlikely that an infected Mac could rapidly infect others.

In the end, these security patches do leave us with a few lessions: First off, don't click on a link that you don't recognize, either on a web page (for instance, on an unknown person's facebook page) or spam email. Secondly - apply security patches which you get from Apple's Software Update (or subscribe to our Managed Machines service for us to manage all of that for you). And Finally - be happy that you have a Mac, because even with these security issues, the Mac still protects viruses from spreading like they have on the PC.

Let's all hope that it stays that way.

Blogs

Upcoming Events


	TSP Quoted in eWeek: On Apple Security oh's blog Login or register to post comments I was queried yesterday by Nathan Eddy of eWeek about Apple's recent security patches. It's interesting that he was inquiring about these particular security patches, as they seemed quite run of the mill. The specific security fixes that he was inquiring about referred to Apple's Quicktime and iTunes programs. Here's what I said in the article: Michael Oh, founder of the Apple-specific, Boston-based company Tech Superpowers, said based on the support page for the QuickTime update, all of the vulnerabilities related to the idea that it is theoretically possible for a user to click on a URL, encoded in a certain way, and it may crash QuickTime or be used to execute a code. “I wouldn’t say it’s a large threat for the average user, but it’s a common attack vector used by a lot of hackers sending out spam, so it’s a pretty common type of thing you see out there,” he said. He pointed out there are theoretical hacks that can happen on any number of platforms, and singled out Apple’s diligence in security issues. “Apple has a pretty serious stance on security and addressing these issues,” he said. “They are very good at pushing these updates down to users—Apple simply sees those vulnerabilities, addresses them behind the scenes and then releases the updates." Oh said the stuff that really gets mainstream media attention, such as viruses or Trojans, tends to be things that have a mechanism to propagate wildly—as the term "virus" suggests. “It’s important to mention that none of the vulnerabilities have any sort of mechanism to propagate like that,” he said. “That’s a really critical thing you should look at with a security patch." When looking at security vulnerabilities - particularly ones that have been fixes, there are two critical things to look at: (1) how bad is the problem and what could a hacker have possibly done and (2) how quickly would the security issue be spread? These critical questions are the same that you'd ask about a real virus like the recent H1N1 strain of the flu: How sick could you get; and how contagious is it? To answer the first question, you could look at the Apple-published documents, but you can never completely believe what the manufacturers tell you. It's in their interest to obscure details and make you feel more secure by not telling you exactly how vulnerable your machine was before you applied the patches. However, in most cases such as these patches, you can refer back to the CVE-ID's of the specific vulnerabilities to find out exactly how badly exposed your computer was. In this case, most of the vulnerabilities looked like they had been found in the lab - or at least they weren't being used in the wild by hackers (yet). So a few "white hat" hackers (those on "our" side of the hacking world) found the security issues and reported them to Apple, who published a fix without the vulnerability being found by the "black hat" hackers. At least that's my guess based on what I read from the CVE reports. Even then, these reports don't tell you "how sick" your machine would become. They simply say that "arbitrary code" could have been executed on your machine, so it's a bit unclear exactly how bad a "hack" using these security issues would have been. What is clear is that it's unlikely that these hacks could have spread very quickly. All of them depended on people clicking on URLs (links) in emails or web pages which had bad coded embedded in them. Combined with the Mac's inherent internal security, this method of infection makes it very unlikely that an infected Mac could rapidly infect others. In the end, these security patches do leave us with a few lessions: First off, don't click on a link that you don't recognize, either on a web page (for instance, on an unknown person's facebook page) or spam email. Secondly - apply security patches which you get from Apple's Software Update (or subscribe to our Managed Machines service for us to manage all of that for you). And Finally - be happy that you have a Mac, because even with these security issues, the Mac still protects viruses from spreading like they have on the PC. Let's all hope that it stays that way. Submitted by oh on Wed, 06/03/2009 - 04:17 Public Content