March 14th, 2007
Apple bumper patch vindicates MOAB, MOKB hackers
When the controversial Month of Apple Bugs (MOAB) project ended earlier this year, a derisive "that was it?" reaction could be heard coming from the Mac faithful.
Outside of a QuickTime code execution exploit (which required user interaction), the majority of the MOAB vulnerabilities released dealt with denial-of-service crashes and privilege escalation bugs, prompting the dismissal of the project as a failed publicity stunt.
But, a close look at Apple's latest batch of bumper patches provides total vindication to LMH and Kevin Finisterre, the two hackers who went against the grain and called attention to serious defects in code coming out of Cupertino. Same goes for the researchers who participated in last November's MOKB (Month of Kernel Bugs), a sister project that highlighted kernel-level vulnerabilities in various operating systems, including Apple's flagship Mac OS X.
Apple's 2007 patch count is an eye-opener. Seven updates, 62 vulnerabilities.
Yesterday's bumper Security Update 2007-003 provided fixes for a whopping 45 security bugs affecting Mac OS X users.
The biggest takeaway from Apple's advisories since last November is the patches that address flaws found during the MOKB and MOAB disclosure projects. More importantly, in the brief notes in Apple's public bulletins, the company is making it clear that many of the MOKB/MOAB flaws were "high risk" issues that could lead to arbitrary code execution attacks. Very serious issues.
It's refreshing to see Apple reacting to those projects and getting fixes out in a timely manner, even crediting the MOKB/MOAB hackers in its bulletins but there's a lot of work to be done at Apple if the security reality is to match those Mac commercials.
Apple's marketing department gets a kick out of kicking sand in Microsoft's eye on security but, truth be told, Apple has a long way to go to match Redmond's seriousness around security. This is an issue that was raised almost a year ago by Microsoft's Stephen Toulouse and it's worth repeating.
Here are five recommendations that spring to mind:
1. Apple desperately needs a security czar to who is empowered to face the reality that there are serious problems with its code quality. When the first batch of code execution holes affecting Windows Vista comes from code created by Apple, those Mac commercials start to look rather silly. A job listing spotted by CNET's Robert Vamosi offers evidence that Apple is looking for a "security expert" to "help provide guidance on security topics to all groups across Apple, and help teams design security into new cutting-edge features and technologies." Hopefully, this is a high-level position (a la Window Snyder at Mozilla) with the power to make meaningful changes.
2. Apple needs to fix its patch release process and beef up the information in its advisories. It looks like they're on a monthly patch schedule but, who knows? I know it sounds sacrilegious to say Microsoft is a perfect example to copy but, roll your eyes all you want, it's the plain old truth. Set up a monthly patch release schedule — I say piggyback on Microsoft's and make it easy for admins to plan/prepare for patches — and start adding mitigations in the bulletins for customers who might not be able to patch immediately.
3. The bulletins need a makeover. In addition to mitigations and workarounds, the bulletins need a clearly marked severity rating. Adopt CVSS and add those severity scores alongside a color-coded scheme to let the average end user understand the risk. If your customers are at risk, you have a responsibility to let them know in an upfront, honest manner.
4. Apple is in the ThreatCode hall-of-shame because of serious warts in its patch deployment process. Read this lament from an IT administrator to see just how frustrating it is to apply a QuickTime patch in a Windows environment. If you're still not sold on how bad things are, check this and this. These are real, legitimate issues that need fixing. If you're deploying a patch, it needs to be a painless, automatic process for every customer, even if they're on a Windows box.
5. Why is there an "iPod Service" always running as LocalSystem on my mom's Windows XP machine? She doesn't own an iPod. If there's a security flaw in that service (MOAB proves that they do exist if you look hard for them), Apple would have put my mom at needless risk. Apple's security people should be recommending that these automatic services be unbundled from QuickTime and iTunes.
And a bonus:
6. A PR person that doesn't respond to media queries on legitimate security issues is a disservice to any company. Apple's weakness here tops the list.
Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.
For daily updates on Ryan's activities, follow him on Twitter.
Subscribe to Zero Day via Email alerts or RSS.
