Mac OSX security

Some worthwhile news came out in Apple vulnerabilities and updates today.

It references the following CVEs:
CVE-2006-0396
CVE-2006-0397
CVE-2006-0398
CVE-2006-0399
CVE-2006-0400
These CVEs are currently under review and not yet public, but vendor updates are currently available.

There has been a lot of talk about the generalization of the culture of security superiority of Apple Macintosh users which I think is vastly overplayed. Where other OS vendors have had specific vulnerabilities identified, some organizational think tanks, such as SANS, have over-hyped exposures when compared to comparative vulnerabilities on Linux or Windows. As OSX is, for the most part, a collection of BSD fundamentals with some Apple user environment additions, I view FUD such as SANS proposed top ten (now redirecting to their top twenty) and has since backpedaled from their position on OSX being one of their top threats. They have since added this quotation to obscure their previous position:

Multiple questions have been submitted asking whether the entire MacOS is a security risk. Of course not, any more than the entire Internet Explorer is a security risk. MacOS includes software that has critical vulnerabilities and Apple has a patch policy, described below, that do not allow us to be more specific in identifying the elements of MacOS that contain the critical vulnerabilities. link

Full Disclosure did have a thread that ran on about this being out of character, but SANS seems to have become only slightly more subtle in their position as a security industry shill for Microsoft.

SANS behavior is not very notable in the information security industry as it seems that every certified professional you meet has something that they’re selling while claiming to be vendor independent. Corporate channel partners just funnel too much business, favors, and/or raw funding to experts and analysts for them (with exception) to maintain an unclouded bias. It is comparable to the conflicts of interest that stock market analysts are mired when tasked with making recommendations on their clients.

After all, if everyone has such horrible security problems, this would make the greatest offenders failings only moderate or par. This is a very weak argument and is usually backed up with statements like “X number of published vulnerabilities have been posted for platform or service Y” which I view as inherently meaningless in the same way the statement that OpenBSD has no remote holes in the base install. Something that offers few services (or none at all) is difficult to gain access to, but really has little to do with the quality or integrity of the system itself. Actual exposure and risk can only be realized and appreciated when a product or service is in a usable state.

Throwing around quantitative statistics has no meaning by themselves and underlines how far the industry and technical reporting has to go towards gaining any real credibility instead of being a sounding board for corporate marketing.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s