On Jan 2, 2007, at 11:41 AM, K F (lists) wrote:

> I am sure LMH will reply to this on his own... I have a few
> comments however.
>>
>> lmh,
>>
>> Of course there will be exploitable issues. It's only a matter of
>> time to see *any* issue being "abused" in the wild. What's curious
>> to me is you're speaking of, for instance, this rtsp issue like
>> it's something manifestly new or unique (I know it's a "new" issue
>> itself; that's not what I'm saying). We've seen issues to date
>> that have allowed arbitrary code execution by a user just, for
>> example, visiting a malicious web page. And then, Apple fixes the
>> issue. What more do we want or expect?
> A good start would be for Apple to communicate better with those
> folks that do the actual reporting. Perhaps a more timely fixes
> would be nice as well. I've got at least one bug that is 3+ months
> old... waiting and waiting sucks as more bugs start to pile up on
> ones plate. Also having to follow up with apple individually on
> each bug is lame... they should be following up with us on a
> routine basis.

Agreed. Apple needs to devote more resources to security, and Product
Security should be a technical/operational group, not a marketing
one. Staff should be dedicated exclusively to technical product
security and auditing. Engineering staff working on the issues should
be able to directly communicate in an official capacity with those
who have reported the issues.

>> I know you and others are on this kick of wanting to "prove" that
>> Mac OS X is "insecure". But I don't know what it proves, exactly.
>> That all large software projects and operating systems have bugs?
>> No reasonable person says that Mac OS X is invulnerable or has no
>> bugs. That would be absolutely ludicrous. And ordinary users don't
>> understand anyway, even when you show them something like this.
> It proves that Apples marketing campaign is about as lame as
> Oracles unbreakable campaign.I found it quite ironic that I was
> sitting in my room writing the InqTana worm and documenting various
> operating system facilities that can help spread malware all the
> while the Mac commercial was occasionally playing on the TV in my
> living room.

But Apple never said Mac OS X was "unbreakable". What it does say and
insinuate (e.g., with the PC/Mac ads where the PC has a cold) is that
you're basically safe from a lot of the crap that's out there on a
Mac, as opposed to on a PC. And that's true, no matter how you slice
it. Someone running a Mac has a much, much, much lower chance of
having to deal with any kind of malware on their machine, and
statistically (based on past performance) probably won't encounter
any. Positioning the Mac like that, which is more or less accurate,
is different from saying that the Mac is unbreakable or that Mac OS X
is invulnerable and/or bug free.

When Apple makes these claims you say they make (which are really
more general than anything), it's making it at a general level, in
advertising no less. For them to paint a picture of Mac OS X as more
secure/less prone to viruses/etc. at a *practical, real-life, day to
day* level is perfectly appropriate. If you feel this marketing is
indicative of a deeper corporate cultural belief within Apple that
hinders its effectiveness in handling security issues, that's a
different story altogether.

>> What people do understand is machines getting hit with malware on
>> a routine basis, or getting owned completely from remote in an
>> automated fashion, with no user interaction whatsoever, which, as
>> I'm sure you're aware, has happened numerous times, often with far-
>> reaching consequences of downtime, data loss, cleanup and
>> remediation, and recovery, on the "other" desktop platform.
> And the point is that "this" platform has the ability to have the
> same thing happen to it... there is no magical suit of armor on
> "this" OS.

I didn't say there was. But until there IS an automated worm with a
vector for mass propagation that affects a percentage of the userbase
anywhere close to what similar automated worms requiring no user
interaction have on Windows, there is a huge distinction.

As an aside, I also take issue with the characterization of "from
remote" in exploit nomenclature in general. A user having to do
something specific is still much different than malware being able to
spread (or a machine being owned) in a way that requires no user
interaction whatsoever, which we have seen several times, severely,
on Windows.

>> The real bottom line today and ever since Mac OS X was released is
>> this: has the Mac OS X userbase to date, or will it realistically
>> in the future based on past performance, be affected either:
>>
>> 1.) in absolute numbers, or
>> 2.) as a percentage of the total userbase
>>
>> on a greater scale (or anywhere NEAR) anything we've seen affect
>> the Windows platform?
> Yeah... its quite possible... thats the whole point of MOAB. If
> users keep their current attitude and Apple keeps the current pace
> and trend of not talking to researchers I can easily see a
> widespread worm / exploit making a run across the user base.

How would a change in "user attitude" change the actual security
situation on Mac OS X? I don't see a change in user attitude changing
anything. Many Windows users know, at least marginally, that they are
the target of innumerable attacks and thousands of pieces of malware.
How does that change in any meaningful way the security situation on
Windows?

Now, if you're arguing that users should have, e.g., antivirus
software instead of thinking that it's ok to run without because
there are "no Mac viruses", or that pressure from an informed
userbase will change a vendor's attitude and response to security, I
guess I would agree (save for the fact that, to date, AV software on
Mac OS X has literally done more harm than any malware has, with the
3 separate instances of false-positive problems doing anything from
alarming users and having them do things like reinstall their OS when
nothing is actually wrong, to actually quarantining critical pieces
of the OS (like the swap file), thus crashing the computer and making
people further believe that something is wrong or that they're
"infected" when in fact they're not). Also, chances are, most things
covered by MOAB wouldn't be covered by AV or anti-malware software
anyway, so, from that perspective, how would changing a typical
user's "attitude" help this situation?

People thinking that the Mac platform is "more secure" (overall
correctly, in my opinion) is mostly a PR and marketing win for Apple.
The only thing I see changing a user's "attitude" doing is getting
people to reconsider their decision to perhaps switch to Mac OS X
because they're fed up with all the spyware and malware they deal
with on a daily basis on Windows. And, for whatever it's worth, I
think that's unfair.

Isn't the real issue how many people are *actually affected* by
issues in the day to day, real-life use of their computer?

>> I guess I'm curious with what your exact beef is: is it ordinary
>> users (correctly) thinking that Mac OS X is [insert some amount
>> here] more secure, from a practical perspective, than Windows?
>>
>> Is it Apple's type/speed/thoroughness of response to security
>> issues, once reported or revealed?
> yes
>>
>> Is it Apple (again, correctly, from a practical perspective)
>> insinuating the level of security on comparison to Windows in its
>> commercials?
> yes
>>
>> Is it Apple's legacy code, which is rife with various
>> opportunities for exploits?
> not sure what you mean here, non legacy code is also rife with
> various opportunities. so... yes?

I'm just using it as an example. Many folks, like nemo, continually
bring up how bad the "legacy code" is, and I was just tossing that
out as a discussion starter.

>> What would possibly be more productive here, and what you also
>> didn't answer in the FAQ, is what precise actions you think Apple
>> should be taking to remedy, for example, bugs that it is not aware
>> of.
> We have previously voiced these concerns to Apple... on multiple
> occasions.

So have we...

>> Should it create new teams specifically to do code audits and find
>> vulnerabilities proactively?
> They claim to already have these teams (I've even personally met
> some of the membersr)... they have some good people there but it
> blows my mind how they could miss something like:
>
> ./src/SystemStarter.c:374: syslog(level, buf);
>
> all the while making comments like: *"Because |launchd| is a
> critical system component, it
> receives a lot of peer review by in-house developers at Apple. It is
> less likely to contain security vulnerabilities than most production
> code."*
>
> in their secure coding guide. So hrmmmmmm let me get this
> straight.... you let stuff like syslog(DUH!) pass though your peer
> review process of code that should be more secure than most of your
> other production code? That was in some of their open source
> code... it makes you wonder wtf is going behind closed doors?

Ok, but here's an example of the OSS philosophy helping the
situation, right? Instead of taking it as a negative, shouldn't this
be seen as a positive? And on the OSS topic, isn't some code being
open better than none (e.g., Windows)?

I know what your argument is...if this is escaping peer review on a
critical OS component AND is open source no less, what else is going
on in the proprietary code? But can't a similar argument that we
don't know ANYTHING about what's going on be fundamentally made
about, say, Windows? (And yes, I would agree that Microsoft has
massively cleaned up its act on this front in recent years.)

>>
>> Should it make public comment on security issues before it has
>> provided a patch or fix?
> Sure an Apple sec blog in the spirit of MSRC blog would be quite
> interesting... I won't hold my breath for it to come though. I'd be
> happy if they openly commented with ALL researchers on the issues
> that they have brought to the table.

This is one thing that is genuinely interesting to me. Is it because
perceived communication and comment would force Apple to respond to
issues more quickly, else it would start to be pretty embarrassing?
If something else, what would the benefit be? Let's just for the sake
of argument say that Apple is able to significant decrease its
response time to something that you'd find within the ballpark of
being acceptable. How would a security blog actually help things?
Note I am NOT arguing against such a blog or more open communication;
I am asking how that would directly help what you now see as security
deficiencies.

>> Should it provide more granular separate fixes and workarounds
>> more quickly for individual issues, instead of waiting to roll
>> them into the next security or OS update?
> Hotfixes would be nice... but in general just make the fixes more
> timely. Its frustrating to see a new quicktime javascript bug get
> fixed immediately when you have several bugs of your own that have
> been sitting around festering for months.

Ok, that is perfectly fair.

>> Also helpful would be some kind of outline of what you believe
>> Apple is doing *wrong*, right now, on the security front.
> I think the bugs speak for themselves. The rtsp:// overflow is a no
> brainer... if they are paying someone to fuzz code and or audit it
> I think that person or persons need to kick it up a notch. We have
> certainly seen some stupid bugs from a company that claims to be
> working in a proactive manor.

Also fair. Apple should devote far more resources to this sort of
thing, else it will find itself in the unenviable position of taking
years to right the ship in the security realm, something Microsoft
has been doing for the last several years, and will be recovering
from for years more.

>> And yes, I could make my own list. But I'm more curious about what
>> you think. I'm also curious whether you recognize that, while
>> there is still a long way to go, Apple has indeed greatly improved
>> its response to security issues in direct response to complaints
>> and feedback it has received from the enterprise/institutional
>> community (e.g., via Apple University Executive Forum and
>> MacEnterprise.org)?
> Those people are not the ones reporting the bugs...

That doesn't matter. We're the people who benefit from bugs being
*fixed*. We have more of a vested interest in it than anyone.

> its still like pulling teeth (for the researcher) in some cases as
> it has been for years. I am lucky to have a relationship with
> several folks on the security team and I still get frustrated. I'd
> hate to be starting from ground 0 trying to report my first bug to
> them.

Agreed, but, as black hole and one-way mechanisms as they are,
product-security (at) apple (dot) com [email concealed] and bugreporter.apple.com are fairly
straightforward. I have reported issues to product-
security (at) apple (dot) com [email concealed], and received answers and feedback via that
channel. Granted, that is not something I do frequently by any means.

> How exactly did you draw the conclusion that is has greatly
> improved? Do you have access to any figures that show the time to
> patch vs. time reported? I'd like to see the improvement charted or
> graphed.

Well, I don't have data on time of report to time of patch. What I am
referring to here is the fact that Apple used to release almost zero
details about security fixes, or would omit mention of them
altogether. When they did make mention of fixes, laughably short on
details, no vulnerability description would ever be tied to it, and
even if you could relate it to an advisory, Apple would almost never
respond to update the advisory. Now, they provide a specific
description of what was fixed, what issue was addressed, which
advisory(ies) were relevant, informs the advisory clearinghouse of
the fix, and so on. And, the fixes have been more granular and
frequent than they have in the past. Since I don't have access to the
reporting data, I don't know if this is because they really are more
frequent, or there are just more things to fix. Either way, Apple
made specific, identifiable changes at the request of people outside
of Apple, and there was two-way feedback in that process.

Perhaps security researchers should become more involved from the
MacEnterprise side, since that is Apple's channel to the enterprise
community, which itself is very interested in Mac OS X/Mac OS X
Server security?

>> As a direct result, Apple started making detailed reports (at last
>> far more detailed than they were before) of each issue addressed
>> or fixed, links to (or creates) advisories where available (e.g.,
>> US-CERT, Secunia, MITRE), has made security updates more granular
>> than they were in the past, and so on. As I said, yes, a long way
>> to go.
> Again I'd love to see the raw data that supports these comments.
> The "long way to go" is what MOAB seeks to highlight... it is a
> wakeup call.

I'm sure pretty much everyone that is part of UEF and MacEnterprise -
people who professionally run, sometimes as their sole
responsibility, Mac OS X and Mac OS X Server in enterprise/
institutional/government/military environments - would agree that
Apple has improved a lot in terms of security handling since 10.0.
We'd all agree there is also a long way to go. Again, I'm speaking as
production deployers of Mac OS X, not as security researchers
reporting bugs to Apple.

>> So is this effort aimed at improving Apple's response, or at
>> "shutting up" people who you would characterize as "fanboys"?
> All of the above.

I don't see how saying "In your face, fanboi!" or enabling others to
say "See? Mac OS X is just as insecure as Windows; in fact, maybe
more insecure!" (which people have already been saying) helps the Mac
OS X security situation in any meaningful way. Similar to the way you
found the TV commercials ironic while you were working on inqtana, I
find it ironic that half the time I'm crafting a reply to someone who
is making arguments about Mac OS X being a big bug-ridden pile of
Swiss cheese that is quite definitely worse than Windows, I have
devoted virtually zero time to any kind of security response to Mac
OS X/Mac OS X Server, while I constantly see new news reports of
remote, fully automated exploits for fully patched Windows systems in
the wild. My current favorite is one that is currently affecting
hundreds of machines at my location, and thousands at other
institutions, which is an automated worm that spreads via Symantec
AntiVirus, of all things.

- Dave0? *?H?÷

 ?0?

10 +0? *?H?÷


 ?,0?ô0?] 
DM0
 *?H?÷


0S10 UUS10U
Equifax Secure Inc.1&0$UEquifax Secure eBusiness CA-10
050829160720Z
150829160720Z0?10 UUS1+0)U
"Division of Information Technology1#0!UFaculty - Staff - Students1(0&UUniversity of Wisconsin-Madison0?0
 *?H?÷



0?èHQÜ%wË ktëùNßM}V?ïȶÂ#¹.³S*?¥I|R±%ö3?~?cëG:!+·Ä? ÇL$ò­©«
8)?¿.Æ01qL|?I?¿Öm²\×[¼'¯íG̪»´V ?ëùçe><|¯÷?°
æp;?Ã??

£?0?0U

ÿ
?0U?RRbG,k,
¸iñ©7,#$0U
#0?Jx2RÛY6^ßÁ6@jG|L¡0U

ÿ0

ÿ09U2000. , *?(http://cr
l.geotrust.com/crls/ebizca1.crl0
 *?H?÷


%ñDX3wç֍ת· ?7kæÞßµ±z°c_?+åLÓPpGOsÉ>ف¬ÐDÓ±Ü-++?ü}£Z??d£Áù'öTï¡*)ÿw~G²?¨ø
Oµö¬U~ºbSJh,óN¨GTaßs\ÇDØéR#êeb¨Åg0?00?? 

0
 *?H?÷


0?10 UUS1+0)U
"Division of Information Technology1#0!UFaculty - Staff - Students1(0&UUniversity of Wisconsin-Madison0
060921213052Z
070921213052Z0¾10 UUS10U Wisconsin10UMadison1(0&U
University of Wisconsin-Madison1#0!UFaculty - Staff - Students10UDavid Schroeder1 0 *?H?÷


das (at) doit.wisc (dot) edu0 [email concealed]?0
 *?H?÷



0????èöÆ?³G¡J[¨×
Qò?sJ?'Uî.øë
ÂC«ÓmÂ?5(¢?äðÛ¢1?Hµ8iä¬C°«é£ Ê¢4ÝsR|F?Sû?©¶2±ï?Æ?´zó?¬ÿPïí?ð?ÖÜ5àò?ݐ?ÕÍnæ?y
>ªÛ% ?ä¹

£p0n0U

ÿà0;U40200 . ,?*http://crl.geotrust.com/cr
ls/wisconsin.crl0U#0??RRbG,k,
¸iñ©7,#$0
 *?H?÷


¯?Ïè®`:ÍDD?¼7µ(?AÞÈæZ_?Ù
xmæÀ!ÖÓr?óÌ~X²8Ưâ"ô0%¶Â¸:Â!Í?ü?KË
CÏ?6õëÒ?5Ѭ?
:Ñat¡q"ٝöï­ÍA???±},ߪ&KÐ]9ev¬ëgxDEåð·Ë1?â0?Þ

00?10 UUS1+0)U
"Division of Information Technology1#0!UFaculty - Staff - Students1(0&UUniversity of Wisconsin-Madison
0 + ?
§0 *?H?÷

1 *?H?÷


0 *?H?÷

1
070102183806Z0# *?H?÷

1Ú,?úk?Î:)©c[½¤N>üÕW0¡ +

?71?00?10 UUS1+0)U
"Division of Information Technology1#0!UFaculty - Staff - Students1(0&UUniversity of Wisconsin-Madison
0£*?H?÷

1? 0?10 UUS1+0)U
"Division of Information Technology1#0!UFaculty - Staff - Students1(0&UUniversity of Wisconsin-Madison
0
 *?H?÷



?6??P±{¡Ý¨<mª£*B¨??-?c5CA
?j½FÔ:ÿ¦o¨¸ñáÁ~ìÊÆî§iIwÙOBZM\n½h
üK^c)Ð?Ú]ª+?ÁÏ>Éî}Qmi?Áè æÍÉqff?ó¶{!??81Ñ?ِ©©JX?V(ÕIk%Ê:+

[ reply ]