By Ryan Singel
Security researchers have long speculated that Apple has benefited from
security by obscurity, escaping attention from malicious hackers because
Windows-based computers dominate in homes and offices. But Apple's new
Safari for Windows puts it right in hackers' crosshairs. The browser
gives hackers another way to attack Windows and security researchers
will now likely spend hours hunting down holes in the code.
But Apple's culture of secrecy and slick marketing has put it at odds
with a community that values openness and honesty -- a lot of computer
security experts aren’t very fond of the computer maker.
Indeed some in the security community think Apple's stance towards
security is as bad as Microsoft's was in the days when it was called the
"Evil Empire," prior to Bill Gates's declaration in 2002 that security
was the company's top priority.
When asked over the phone if Apple treated security researchers well,
Black Hat founder Jeff Moss relayed the question to researchers at the
Computer Security Institute conference. Howls of derisive laughter came
pouring through his cell phone.
"They are vulnerable like anyone else, but they are still controlled by
marketing campaigns," said Moss. "Their approach will change -- but when
will it change?"
Apple has a mixed reputation in the security community. It's been
criticized for how it handles reports of vulnerabilities, how it reports
the severity of bugs in automatic security updates and how long it takes
to patch flaws.
In addition, Moss said Apple has a reputation of not crediting
researchers who find bugs. Security researchers generally adhere to a
policy of reporting bugs quietly to software vendors ahead of time in
return for public credit when a fix is shipped. However, Apple has been
accused of fixing bugs silently, or fixing a security bug and
reclassifying it as a "usability bug" rather than crediting researchers.
By releasing a beta version of Safari to the public, Apple expects to
get feedback on bugs and vulnerabilities, but some researchers are loath
to provide it unless they get proper credit.
Security researcher David Maynor said he found six Safari bugs in one
day using commonly available tools that Apple engineers should have used
"Apple is using the research community as their (quality assurance)
department, which makes me not want to report bugs," he said. "If they
aren't going to run these tools, why should I run them and report them?"
While Maynor says he follows this policy for companies like Microsoft,
he refuses to report bugs to Apple following a vitriolic contretemps
last summer involving a wireless-driver bug. Maynor contends Apple
attacked his credibility, while Maynor’s detractors say he overstated
the severity of the exploit.
One of the bugs is a remote exploit that works on the beta browser and
the current production version of Safari for Mac OS X, according to
Maynor says he plans to hold onto the exploit until he can buy an iPhone
and break into it.
Maynor is not alone in probing the new browser. Just one day after Apple
released the Safari beta, security researchers published detailed
accounts of critical vulnerabilities in the browser, ranging from
attacks that simply crashed the browser, to one that allowed a website
to run commands on the computer of a visitor running Safari.
But animus towards Apple is not universal in the security community.
Dino Dai Zovi, a security researcher who recently won $10,000 by taking
over a Mac remotely, says he's reported nine vulnerabilities to Apple
and found them to be as responsive as most in the industry.
Apple tends to be slow issuing patches, according to Dai Zovi, but can
be quick when there's a lot of public scrutiny, such as with his
QuickTime/Java exploit, which it fixed in a "groundbreaking" eight days.
But Dai Zovi said Apple may be about to enter much hotter water, thanks
to its new Windows browser, the hot new iPhone and increased Mac market
"They are going to have to deal with a lot more vulnerability reports,"
Dai Zovi said. "Just like Microsoft, once the public perception of
security impacts sales, Apple will most likely step it up."
David Goldsmith, the president Matasano Security, echoed Dai Zovi's take
on Apple's handling of reports, saying he's never had a problem with
Apple not crediting him for a bug, but that in the past Apple had a
habit of underplaying the severity of the bug.
Goldsmith said Apple might have to fix bugs faster because more people
will be watching what the company does.
"Apple has a reputation of being more secure and one of the theories is
that it is because less people are looking at it (for vulnerabilities),"
Goldsmith said. "(The Windows Safari browser) may prove to be a way of
validating that claim. It is safe to say they are going to change the
way they react to these communications just because they will have more
exposure to them."
Apple was not immediately available for detailed comment, but a
spokesperson pointed out that the Safari browser relies on an
open-source browser engine that has been well tested and used by
companies like Nokia.
Received on Fri Jun 15 01:25:13 2007