[ISN] Apple Gets Security Lecture from Microsoft
isn at c4i.org
Thu Mar 23 04:48:49 EST 2006
By Ryan Naraine
March 22, 2006
Apple is getting a lecture on its security response process from the
unlikeliest of places.
In a classic flipping of the script, a Microsoft program manager who
regularly serves as the public face of the software maker's security
response process rapped Apple for the way it handles security guidance
In a series of entries on his personal blog at Stepto.com, Microsoft
program manager Stephen Toulouse called on the Cupertino, Calif.-based
Apple to hire a security czar and revamp the way information is
released when Mac OS X updates are shipped.
"Look, the only way you can tackle security issues is by getting out
ahead of them and clearly communicating to your users the threat, and
the clear guidance on how to be safe," Toulouse declared in a reaction
to what he described as the "recent trials and tribulations of Apple
in the security space."
"Here's the reality, for the next couple of years the Mac OS will
experience increasing security threats and mark my words, the company
will have to seek outside expertise in the form of a head of security
communications in the next 12 months," Toulouse added.
He said Apple needs a person "steeped in security issues, true
technical analysis, and can lead a good security team to get good
guidance out there."
Toulouse's statements, which were posted on his own blog and reflected
only his personal opinions, echoes a growing sentimentin and outside
Redmond - that Microsoft is now the standard by which other vendors
are judged when it comes to dealing to security crises.
In the aftermath of the Blaster and Slammer worm attacks, Microsoft
has made significant changes to the way it fesses up to security
vulnerabilities and communicates with hackers in the private research
Toulouse said the company certainly learned from its own problems. "A
lot of the attacks Apple is experiencing today are just like the most
prevalent threats on Windows: Attacks that require the user to take an
action first. We've learned the lesson of getting out there fast and
providing clear prescriptive guidance," he added.
In response to an Apple spokesman who was quoted in a BusinessWeek
article as saying the company does not need a security figurehead
because the entire Apple staff cares about security, Toulouse said:
"That's a little like saying the White House shouldn't have a
Department of Homeland Security because, DUH, everyone in the
government cares about security!"
A separate entry on Toulouse's blog also takes issue with statements
from Apple that the content in its security advisories are similar to
those released by Microsoft.
"[I] went to their most recent security update documentation. I note
no mitigating factors in Apple's security communication for customers
to assess their risk. I note no frequently asked questions in Apple's
security communication to cover what an attacker could and could not
do or any other information customers might ask about. I note no
workarounds in Apple's security communication for people who cannot
immediately deploy the update," Toulouse declared.
"I note no deployment information for enterprises in Apple's security
communication. I note no severity rating for any of the issues again
so customers can assess their risk since updating can be disruptive
sometimes. I note no file manifests in Apple's security information
for customers to check to make sure updates are applied properly if
they wish. I note no caveats in Apple's security communication in case
changes made in the update cause known application compatibility
issues or support issues are discovered," he added.
"I note no free support number for trouble with updates in Apple's
security information in case customers need help applying the update,"
He stressed that Microsoft's prepatch security alerts and subsequent
security bulletins contain all that information because that's what
When Apple was forced to re-release a security patch because of
problems caused by the original update, Toulouse posted a third blog
entry with another call for Apple to implement better internal
security coordination and highlighted several weaknesses in the way
Apple announced the patched patch.
"In the original advisory, they note that a new version is available,
so that's good. But, there's no RSS feed around it. You can get an RSS
feed for ALL support articles, but not just for the ones that apply to
security updates. Apple does have a security announce mailing list.
But it doesn't seem to cover when there are new versions available
when a bug is introduced by the update," he noted.
"One might argue that you don't need those things if you are using the
built-in auto-update functionality of OS X, but I would argue back
that the fact there was an update to the update might mean people turn
that off to test updates before deployment because of problems like
this. Oh well," Toulouse declared.
More information about the ISN