I’m surprised that some of these behaviors that I mentioned a year ago haven’t changed.
Yesterday many Apple users were installing a system security update. Depending on what article you read, this was either a really huge deal involving “monsters” and giant failures or a snoozefest of local vulnerabilities and not much of an issue at all except for the issue with preview.
What seems clear is that a lot of people take Apple super seriously. I’m pretty unclear on why.
I understand why my kool-aid drinking friends at The Empire are down on Apple. It comes with the territory. What I don’t understand are why some of the more level headed open source coders freak out about it. This vulns are largely open source local exploits. OSX threat vectors do not currently involve:
- no usb autorooters
- cdrom pwnkits
- no real self propagating malware (yet)
Apple definitely has some interns writing code over there and it has shown on occasion, but I still think they’re ahead of the pack. Most of the complaints when the SANS FUD was brought up surrounded “well mac users are clueless” which is generally a valid point when it comes to common good practices. After all, types like me are always going to be in the minority. Why? Because people should not have to be hotshot information security experts to read their email or buy a book online.
Even though the drum is being thumped as much as possible trying to express “look! they’re just as bad as we are or maybe worse!” it isn’t playing out if you understand that open source software is easier to audit than proprietary software that needs to be beat on with fuzzers to prospect for quantitative results. Historically, every high or medium exposure will have malcode floating around in short order for Windows. So far it’s not easy enough to weaponize or just not worth the trouble of doing so for OSX.
I feel more comfortable about a fast disclosure and remediation cycle than a secret one where patches are only issued if there is exploit code in the wild and it can’t wait for the next service pack release to quietly fix the problems without attention from the nerdly public. It is a more honest and forthright policy which leads to building trust and more meaningful risk forecasting.
I think everyone that has been in my industry for a while has many examples of where embarrassing flaws and proof of concept code has shown what has been labeled as “purely theoretical” or “just a ipv6 bug” was anything but. Remember these lessons in your travels forward. Especially when companies like Cisco are going to put a bunch of features in IOS after unifying their target platform for heap overflows after denying their existence.
The more things change, the more they seem to stay the same in this game.