[ISN] Apple Gets Security Lecture from Microsoft

InfoSec News isn at c4i.org
Thu Mar 23 04:48:49 EST 2006


By Ryan Naraine 
March 22, 2006 

Apple is getting a lecture on its security response process from the
unlikeliest of places.

In a classic flipping of the script, a Microsoft program manager who
regularly serves as the public face of the software maker's security
response process rapped Apple for the way it handles security guidance
to customers.

In a series of entries on his personal blog at Stepto.com, Microsoft
program manager Stephen Toulouse called on the Cupertino, Calif.-based
Apple to hire a security czar and revamp the way information is
released when Mac OS X updates are shipped.

"Look, the only way you can tackle security issues is by getting out
ahead of them and clearly communicating to your users the threat, and
the clear guidance on how to be safe," Toulouse declared in a reaction
to what he described as the "recent trials and tribulations of Apple
in the security space."

"Here's the reality, for the next couple of years the Mac OS will
experience increasing security threats and mark my words, the company
will have to seek outside expertise in the form of a head of security
communications in the next 12 months," Toulouse added.

He said Apple needs a person "steeped in security issues, true
technical analysis, and can lead a good security team to get good
guidance out there."

Toulouse's statements, which were posted on his own blog and reflected
only his personal opinions, echoes a growing sentiment—in and outside
Redmond - that Microsoft is now the standard by which other vendors
are judged when it comes to dealing to security crises.

In the aftermath of the Blaster and Slammer worm attacks, Microsoft
has made significant changes to the way it fesses up to security
vulnerabilities and communicates with hackers in the private research

Toulouse said the company certainly learned from its own problems. "A
lot of the attacks Apple is experiencing today are just like the most
prevalent threats on Windows: Attacks that require the user to take an
action first. We've learned the lesson of getting out there fast and
providing clear prescriptive guidance," he added.

In response to an Apple spokesman who was quoted in a BusinessWeek
article as saying the company does not need a security figurehead
because the entire Apple staff cares about security, Toulouse said:  
"That's a little like saying the White House shouldn't have a
Department of Homeland Security because, DUH, everyone in the
government cares about security!"

A separate entry on Toulouse's blog also takes issue with statements
from Apple that the content in its security advisories are similar to
those released by Microsoft.

"[I] went to their most recent security update documentation. I note 
no mitigating factors in Apple's security communication for customers 
to assess their risk. I note no frequently asked questions in Apple's 
security communication to cover what an attacker could and could not 
do or any other information customers might ask about. I note no 
workarounds in Apple's security communication for people who cannot 
immediately deploy the update," Toulouse declared. 

"I note no deployment information for enterprises in Apple's security 
communication. I note no severity rating for any of the issues again 
so customers can assess their risk since updating can be disruptive 
sometimes. I note no file manifests in Apple's security information 
for customers to check to make sure updates are applied properly if 
they wish. I note no caveats in Apple's security communication in case 
changes made in the update cause known application compatibility 
issues or support issues are discovered," he added.

"I note no free support number for trouble with updates in Apple's 
security information in case customers need help applying the update," 
Toulouse countered.

He stressed that Microsoft's prepatch security alerts and subsequent 
security bulletins contain all that information because that's what 
customers demand.

When Apple was forced to re-release a security patch because of 
problems caused by the original update, Toulouse posted a third blog 
entry with another call for Apple to implement better internal 
security coordination and highlighted several weaknesses in the way 
Apple announced the patched patch. 

"In the original advisory, they note that a new version is available, 
so that's good. But, there's no RSS feed around it. You can get an RSS 
feed for ALL support articles, but not just for the ones that apply to 
security updates. Apple does have a security announce mailing list. 
But it doesn't seem to cover when there are new versions available 
when a bug is introduced by the update," he noted.

"One might argue that you don't need those things if you are using the 
built-in auto-update functionality of OS X, but I would argue back 
that the fact there was an update to the update might mean people turn 
that off to test updates before deployment because of problems like 
this. Oh well," Toulouse declared. 

More information about the ISN mailing list