I am sure LMH will reply to this on his own... I have a few comments
however.
>
> lmh,
>
> Of course there will be exploitable issues. It's only a matter of time
> to see *any* issue being "abused" in the wild. What's curious to me is
> you're speaking of, for instance, this rtsp issue like it's something
> manifestly new or unique (I know it's a "new" issue itself; that's not
> what I'm saying). We've seen issues to date that have allowed
> arbitrary code execution by a user just, for example, visiting a
> malicious web page. And then, Apple fixes the issue. What more do we
> want or expect?
A good start would be for Apple to communicate better with those folks
that do the actual reporting. Perhaps a more timely fixes would be nice
as well. I've got at least one bug that is 3+ months old... waiting and
waiting sucks as more bugs start to pile up on ones plate. Also having
to follow up with apple individually on each bug is lame... they should
be following up with us on a routine basis.
>
> I know you and others are on this kick of wanting to "prove" that Mac
> OS X is "insecure". But I don't know what it proves, exactly. That all
> large software projects and operating systems have bugs? No reasonable
> person says that Mac OS X is invulnerable or has no bugs. That would
> be absolutely ludicrous. And ordinary users don't understand anyway,
> even when you show them something like this.
It proves that Apples marketing campaign is about as lame as Oracles
unbreakable campaign.I found it quite ironic that I was sitting in my
room writing the InqTana worm and documenting various operating system
facilities that can help spread malware all the while the Mac commercial
was occasionally playing on the TV in my living room.
>
> What people do understand is machines getting hit with malware on a
> routine basis, or getting owned completely from remote in an automated
> fashion, with no user interaction whatsoever, which, as I'm sure
> you're aware, has happened numerous times, often with far-reaching
> consequences of downtime, data loss, cleanup and remediation, and
> recovery, on the "other" desktop platform.
And the point is that "this" platform has the ability to have the same
thing happen to it... there is no magical suit of armor on "this" OS.
>
> The real bottom line today and ever since Mac OS X was released is
> this: has the Mac OS X userbase to date, or will it realistically in
> the future based on past performance, be affected either:
>
> 1.) in absolute numbers, or
> 2.) as a percentage of the total userbase
>
> on a greater scale (or anywhere NEAR) anything we've seen affect the
> Windows platform?
Yeah... its quite possible... thats the whole point of MOAB. If users
keep their current attitude and Apple keeps the current pace and trend
of not talking to researchers I can easily see a widespread worm /
exploit making a run across the user base.
>
> I guess I'm curious with what your exact beef is: is it ordinary users
> (correctly) thinking that Mac OS X is [insert some amount here] more
> secure, from a practical perspective, than Windows?
>
> Is it Apple's type/speed/thoroughness of response to security issues,
> once reported or revealed?
yes
>
> Is it Apple (again, correctly, from a practical perspective)
> insinuating the level of security on comparison to Windows in its
> commercials?
yes
>
> Is it Apple's legacy code, which is rife with various opportunities
> for exploits?
not sure what you mean here, non legacy code is also rife with various
opportunities. so... yes?
>
> What would possibly be more productive here, and what you also didn't
> answer in the FAQ, is what precise actions you think Apple should be
> taking to remedy, for example, bugs that it is not aware of.
We have previously voiced these concerns to Apple... on multiple occasions.
>
> Should it create new teams specifically to do code audits and find
> vulnerabilities proactively?
They claim to already have these teams (I've even personally met some of
the membersr)... they have some good people there but it blows my mind
how they could miss something like:
./src/SystemStarter.c:374: syslog(level, buf);
all the while making comments like: *"Because |launchd| is a critical system component, it
receives a lot of peer review by in-house developers at Apple. It is
less likely to contain security vulnerabilities than most production
code."*
in their secure coding guide. So hrmmmmmm let me get this straight....
you let stuff like syslog(DUH!) pass though your peer review process of
code that should be more secure than most of your other production code?
That was in some of their open source code... it makes you wonder wtf is
going behind closed doors?
>
> Should it make public comment on security issues before it has
> provided a patch or fix?
Sure an Apple sec blog in the spirit of MSRC blog would be quite
interesting... I won't hold my breath for it to come though. I'd be
happy if they openly commented with ALL researchers on the issues that
they have brought to the table.
>
> Should it provide more granular separate fixes and workarounds more
> quickly for individual issues, instead of waiting to roll them into
> the next security or OS update?
Hotfixes would be nice... but in general just make the fixes more
timely. Its frustrating to see a new quicktime javascript bug get fixed
immediately when you have several bugs of your own that have been
sitting around festering for months.
>
> Also helpful would be some kind of outline of what you believe Apple
> is doing *wrong*, right now, on the security front.
I think the bugs speak for themselves. The rtsp:// overflow is a no
brainer... if they are paying someone to fuzz code and or audit it I
think that person or persons need to kick it up a notch. We have
certainly seen some stupid bugs from a company that claims to be working
in a proactive manor.
>
> And yes, I could make my own list. But I'm more curious about what you
> think. I'm also curious whether you recognize that, while there is
> still a long way to go, Apple has indeed greatly improved its response
> to security issues in direct response to complaints and feedback it
> has received from the enterprise/institutional community (e.g., via
> Apple University Executive Forum and MacEnterprise.org)?
Those people are not the ones reporting the bugs... its still like
pulling teeth (for the researcher) in some cases as it has been for
years. I am lucky to have a relationship with several folks on the
security team and I still get frustrated. I'd hate to be starting from
ground 0 trying to report my first bug to them. How exactly did you draw
the conclusion that is has greatly improved? Do you have access to any
figures that show the time to patch vs. time reported? I'd like to see
the improvement charted or graphed.
> As a direct result, Apple started making detailed reports (at last far
> more detailed than they were before) of each issue addressed or fixed,
> links to (or creates) advisories where available (e.g., US-CERT,
> Secunia, MITRE), has made security updates more granular than they
> were in the past, and so on. As I said, yes, a long way to go.
Again I'd love to see the raw data that supports these comments. The
"long way to go" is what MOAB seeks to highlight... it is a wakeup call.
>
> So is this effort aimed at improving Apple's response, or at "shutting
> up" people who you would characterize as "fanboys"?
All of the above.
>
> Regards,
>
> Dave Schroeder
> University of Wisconsin - Madison
> das (at) doit.wisc (dot) edu [email concealed]
> http://das.doit.wisc.edu/
Happy Patching!
-KF
however.
>
> lmh,
>
> Of course there will be exploitable issues. It's only a matter of time
> to see *any* issue being "abused" in the wild. What's curious to me is
> you're speaking of, for instance, this rtsp issue like it's something
> manifestly new or unique (I know it's a "new" issue itself; that's not
> what I'm saying). We've seen issues to date that have allowed
> arbitrary code execution by a user just, for example, visiting a
> malicious web page. And then, Apple fixes the issue. What more do we
> want or expect?
A good start would be for Apple to communicate better with those folks
that do the actual reporting. Perhaps a more timely fixes would be nice
as well. I've got at least one bug that is 3+ months old... waiting and
waiting sucks as more bugs start to pile up on ones plate. Also having
to follow up with apple individually on each bug is lame... they should
be following up with us on a routine basis.
>
> I know you and others are on this kick of wanting to "prove" that Mac
> OS X is "insecure". But I don't know what it proves, exactly. That all
> large software projects and operating systems have bugs? No reasonable
> person says that Mac OS X is invulnerable or has no bugs. That would
> be absolutely ludicrous. And ordinary users don't understand anyway,
> even when you show them something like this.
It proves that Apples marketing campaign is about as lame as Oracles
unbreakable campaign.I found it quite ironic that I was sitting in my
room writing the InqTana worm and documenting various operating system
facilities that can help spread malware all the while the Mac commercial
was occasionally playing on the TV in my living room.
>
> What people do understand is machines getting hit with malware on a
> routine basis, or getting owned completely from remote in an automated
> fashion, with no user interaction whatsoever, which, as I'm sure
> you're aware, has happened numerous times, often with far-reaching
> consequences of downtime, data loss, cleanup and remediation, and
> recovery, on the "other" desktop platform.
And the point is that "this" platform has the ability to have the same
thing happen to it... there is no magical suit of armor on "this" OS.
>
> The real bottom line today and ever since Mac OS X was released is
> this: has the Mac OS X userbase to date, or will it realistically in
> the future based on past performance, be affected either:
>
> 1.) in absolute numbers, or
> 2.) as a percentage of the total userbase
>
> on a greater scale (or anywhere NEAR) anything we've seen affect the
> Windows platform?
Yeah... its quite possible... thats the whole point of MOAB. If users
keep their current attitude and Apple keeps the current pace and trend
of not talking to researchers I can easily see a widespread worm /
exploit making a run across the user base.
>
> I guess I'm curious with what your exact beef is: is it ordinary users
> (correctly) thinking that Mac OS X is [insert some amount here] more
> secure, from a practical perspective, than Windows?
>
> Is it Apple's type/speed/thoroughness of response to security issues,
> once reported or revealed?
yes
>
> Is it Apple (again, correctly, from a practical perspective)
> insinuating the level of security on comparison to Windows in its
> commercials?
yes
>
> Is it Apple's legacy code, which is rife with various opportunities
> for exploits?
not sure what you mean here, non legacy code is also rife with various
opportunities. so... yes?
>
> What would possibly be more productive here, and what you also didn't
> answer in the FAQ, is what precise actions you think Apple should be
> taking to remedy, for example, bugs that it is not aware of.
We have previously voiced these concerns to Apple... on multiple occasions.
>
> Should it create new teams specifically to do code audits and find
> vulnerabilities proactively?
They claim to already have these teams (I've even personally met some of
the membersr)... they have some good people there but it blows my mind
how they could miss something like:
./src/SystemStarter.c:374: syslog(level, buf);
all the while making comments like: *"Because |launchd| is a critical system component, it
receives a lot of peer review by in-house developers at Apple. It is
less likely to contain security vulnerabilities than most production
code."*
in their secure coding guide. So hrmmmmmm let me get this straight....
you let stuff like syslog(DUH!) pass though your peer review process of
code that should be more secure than most of your other production code?
That was in some of their open source code... it makes you wonder wtf is
going behind closed doors?
>
> Should it make public comment on security issues before it has
> provided a patch or fix?
Sure an Apple sec blog in the spirit of MSRC blog would be quite
interesting... I won't hold my breath for it to come though. I'd be
happy if they openly commented with ALL researchers on the issues that
they have brought to the table.
>
> Should it provide more granular separate fixes and workarounds more
> quickly for individual issues, instead of waiting to roll them into
> the next security or OS update?
Hotfixes would be nice... but in general just make the fixes more
timely. Its frustrating to see a new quicktime javascript bug get fixed
immediately when you have several bugs of your own that have been
sitting around festering for months.
>
> Also helpful would be some kind of outline of what you believe Apple
> is doing *wrong*, right now, on the security front.
I think the bugs speak for themselves. The rtsp:// overflow is a no
brainer... if they are paying someone to fuzz code and or audit it I
think that person or persons need to kick it up a notch. We have
certainly seen some stupid bugs from a company that claims to be working
in a proactive manor.
>
> And yes, I could make my own list. But I'm more curious about what you
> think. I'm also curious whether you recognize that, while there is
> still a long way to go, Apple has indeed greatly improved its response
> to security issues in direct response to complaints and feedback it
> has received from the enterprise/institutional community (e.g., via
> Apple University Executive Forum and MacEnterprise.org)?
Those people are not the ones reporting the bugs... its still like
pulling teeth (for the researcher) in some cases as it has been for
years. I am lucky to have a relationship with several folks on the
security team and I still get frustrated. I'd hate to be starting from
ground 0 trying to report my first bug to them. How exactly did you draw
the conclusion that is has greatly improved? Do you have access to any
figures that show the time to patch vs. time reported? I'd like to see
the improvement charted or graphed.
> As a direct result, Apple started making detailed reports (at last far
> more detailed than they were before) of each issue addressed or fixed,
> links to (or creates) advisories where available (e.g., US-CERT,
> Secunia, MITRE), has made security updates more granular than they
> were in the past, and so on. As I said, yes, a long way to go.
Again I'd love to see the raw data that supports these comments. The
"long way to go" is what MOAB seeks to highlight... it is a wakeup call.
>
> So is this effort aimed at improving Apple's response, or at "shutting
> up" people who you would characterize as "fanboys"?
All of the above.
>
> Regards,
>
> Dave Schroeder
> University of Wisconsin - Madison
> das (at) doit.wisc (dot) edu [email concealed]
> http://das.doit.wisc.edu/
Happy Patching!
-KF
[ reply ]